Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Jeremy Turner - The ๐
113 Plays11 months ago
This week we have Jeremy Turner - Head of Cyber & Risk at Cogility - on the podcast.
One for the books!
Recommended
Transcript
Introduction to EnsureSec Podcast
00:00:03
Speaker
Your federal seemed to invent your conversations at the intersection of cyber security, risk management and cyber insurance.
00:00:20
Speaker
Welcome to the EnsureSec podcast. You got your hosts here, Abe Gibson and Ryan Dunn.
Guest Introduction: Jeremy Turner
00:00:26
Speaker
This week we got Jeremy Turner on the show. Jeremy has an interesting background that I'm super excited to dive into and learn more about. Just to give you a heads up, he is part of the reason we have RDP Port automatic declinations.
00:00:45
Speaker
He's doing some really interesting stuff on the threat side of things. Jeremy, welcome to the show. How you doing, man? Great. Glad to be here. Looking forward to it. Absolutely. Awesome. We try to start out the show with getting your background. We say it every single episode, so it's really redundant, but you can start back as far as
00:01:12
Speaker
you know, mom and dad fell in love or wherever you kind of see fit.
Jeremy's Cybersecurity Journey Begins
00:01:18
Speaker
Yeah. Cool. Yeah. So I guess, uh, you know, my interest in cybersecurity in general started when I was in high school. I mean, this is like the date myself, this is like back in the mid nineties. Um, so, you know, it was at that time, it was kind of the wild west. Uh, there was so many vulnerabilities and like, you know, everybody's just trying to figure out how to make stuff work, let alone secure it.
00:01:37
Speaker
Um, so it was a perfect time to, you know, kind of use the world as my playground to figure out, you know, all the things that I wanted to learn about cybersecurity. Um, but you know, that's at times when like developing things like exploits was, you know, relatively simple compared to today's, you know, standards on that. Um, but it really, it really captivated me in the way that it became kind of a lifelong interest. Um, you know, and while I've bounced around in different areas, you know, you know, cyber threat intelligence and cybersecurity is just something that's kind of been in my DNA for a long time.
00:02:08
Speaker
Were you a script kitty? Everybody starts off there. Some people stop there, but yeah, I really enjoyed kind of like actually just unpacking things and picking things apart. And I really got into reverse engineering.
00:02:23
Speaker
from the get-go and I really just liked the fact that I could find all these new things that nobody else could see, you know, even with an applications just by like kind of disassembling them and, you know, looking how they function and looking at things like, you know, vulnerabilities that, you know, other people may not see. I just really liked that kind of concept and, you know, reverse engineering stuff became like doing like crossword puzzles or like other things for me. It was just kind of a challenge and it really stuck with me. Yeah.
00:02:52
Speaker
Now, Jeremy, were you, uh, I mean, were you also pretty ingrained in programming at all when you were growing up? Was that, was that part of your fascination with it?
00:03:02
Speaker
Ironically, the thing I've been most familiar with my entire career is actually assembly, which is a little bit arcane. Like most people don't really get into it, but because I was so much into kind of reverse engineering, it's probably been my most familiar language. And everything else I just kind of hack my way along or now I have chat GPT so I can just use that.
00:03:26
Speaker
For those of you that are probably going to be tuning in from an audio perspective, Jeremy's background is one that I've never seen before.
Career Path and Current Role at Cogility
00:03:39
Speaker
And he has a license plate with hacker on the back of it. Um, it is perfectly acoustics. And, uh, it almost looks like he's probably been in your environment in some way, shape or form. It looks like one of those stock images when you search hacker, it looks like one of those stock images.
00:04:01
Speaker
One of a kind. Um, that's interesting. And so also, uh, you're part of Cogility now. Um, definitely want to dig into what you guys are doing there. Uh, and, and then we can kind of get into more, um, you know, relevant stuff that's going on in the industry. But, uh, you know, what was your path to Cogility? How'd you end up there? Where, you know, where'd you start and how'd you get there now?
Underwriting Cyber Risk and Data Analysis
00:04:29
Speaker
Yeah, it's kind of a winding path. So I did a lot of time as a government contractor in the DC area. Then I wound up doing some management consulting for a small boutique consulting firm called Crumpton Group. After Crumpton Group, I joined coalition when it was pretty early. It was around 40 people. And witnessed the great expansion of that company and got to participate in the very early development of things like how we do underwriting and the technology and processes to support that.
00:04:57
Speaker
Um, you know, there's like, I was fortunate enough in the management consulting company that I worked with a lot of folks that were CIA veterans. So they had retired from that environment and I was able to absorb a lot of the different processes and methodologies that they used on a daily basis, things like structured analytic techniques and all those other kinds of fun things.
00:05:14
Speaker
They really helped me think differently about approaching problems like underwriting cyber risk and looking at things from a structured approach so we can iteratively tune things as we gain knowledge and learn new things about what's going on. I found Cogility actually when I was a coalition and I was looking for a way to solve some of the big challenges in underwriting cyber risk.
00:05:39
Speaker
tend to as an industry have scans and reports that we can get on demand or maybe start monitoring companies over time, but it really doesn't cover any of the historical period for the company. And to do that, you really have to essentially underwrite every company in the market continuously so that when you want to actually look at a company, you have a profile or a journal of all the different factors that may play into an underwriting decision.
00:06:04
Speaker
And the historical perspective there is something I think that's not really considered a lot in the industry, but it's incredibly informative when you're looking at risk. If you see a company that looks great today, but last month they had RDP and six other vulnerable technologies exposed, you can formulate and make some analytic assumptions on what happened there. They probably had some incident and now they're like, oh, we need cyber insurance. So being able to see those historic perspectives is incredibly helpful.
00:06:31
Speaker
It also enables things like looking at risk aggregation or catastrophic risk scenarios from a quantitative perspective versus a simulated perspective, which we've all seen those simulations and cat risk in the industry. And they're pretty wild.
00:06:48
Speaker
Yeah, very broad stroke. Being able to pull out some facts and formulate a factual basis on modeling things like cat risk and aggregated risk really requires a whole market approach towards analysis. And, you know, everybody thought I was crazy when I was like, I'm just going to want to analyze every company in the US continuously. We're just like, that's funny.
00:07:09
Speaker
Um, but I really kind of got stuck in the idea, just like, you know, reverse engineering, you know, some application or something. And I just kind of like, I couldn't get out of that track. Um, so I just pursuing it and, um, kind of through some fortuitous circumstances on some, somebody I met at a conference like six years ago and knew somebody that, you know, it was working and like, Hey, have you ever heard of this company, Cogility? And I was like, no. Um, but when I looked at what they were doing,
00:07:35
Speaker
they're taking a different approach to it. So instead of storing all the data, like say, you know, if you want to underwrite every company in the US, instead of storing all the data and scan data and all the other kind of data that you need in a giant database and then querying it when you need to compile a report, you know, it takes in order that amount of resources to be able to do that. And instead, there's kind of a unique take, I think, which is going to be the future of how cybersecurity analysis is done in general.
00:07:58
Speaker
which is real-time stream processing. And what Crogility is doing and what I'm doing now enables us to take in those firehose feeds of massive data sets, internet-scale data sets, but only retain the facts that are relevant to our objective, which is the US companies, just commercial entities and private and public as well.
00:08:19
Speaker
But doing it in that process, instead of having to store petabyte scale data and deal with all the problems that go along with that, we're committing maybe a couple hundred gigs a month versus these petabytes of data we'd have to retain otherwise.
00:08:34
Speaker
So kind of looking at the problem differently, and when I saw Cogility's technology and what they were doing, they were using it for completely different application and insider threat and behavioral modeling. But I saw the process and how the technology worked at scale for that use case. And I was like, I just knew that this was going to be the technology that would enable me to do this.
00:08:55
Speaker
Yeah, I think about that all the time, the whole, you know, why don't we just analyze every company in the US and kind of make a profile of that company that we can just tap into, right? But there's a huge issue, like you're saying, from a storing capacity.
00:09:14
Speaker
uh, standpoint, but also, um, I mean, some type of, I am assuming some type of liability along with it. Um, yeah, if you look at it from the other side, you know, essentially what it is, is it would be a great targeting platform for the bad guys. You'd be able to basically giving them the effect.
00:09:34
Speaker
So there's a lot of consideration and controls that go into how when we kind of roll out the commercial full release of that kind of product, what it's going to look like, and probably also how we go to market with it. Instead of kind of an individual consumer user, like single user, being able to access a lot of data is probably going to be pretty limited.
00:09:56
Speaker
where companies like insurance companies or reinsurance carriers would be able to access that data, uh, much more broadly. Yeah. Yeah. It's definitely needed. Yeah. So there's, there's something that you mentioned that's completely, completely kind of off topic of what we're talking about right now, but I've got so many people, it's almost like on the, the insure tech side of things that, you know, there's like this, uh,
00:10:25
Speaker
I don't know what to say this kind of reputation for like, if you're a VC firm out in Silicon Valley, if somebody is like a dropout at Stanford, it's like usually a good indicator that they're going to be successful.
00:10:40
Speaker
This is a, that's what I'm starting to feel like about early employees at coalition. I just miss people at coalition that were like, yeah, I was there early. Yeah. I was there early. Um, I've also met some that weren't, um, but, but, uh,
00:10:59
Speaker
Before we hop into what you're doing right now in more detail, take us through what it was like building coalition, which is kind of set the
00:11:12
Speaker
the standard for, you know, small business, cyber insurance, right? It just seems like everybody's kind of playing the copycat game. It's like, okay, coalition did this in 2019 and then everybody's doing it in 2021, right? It's just, everybody follows. Take us through kind of what, what that was like being there early and what you're doing.
00:11:35
Speaker
Yeah, I think at that time, there was a heavy focus and kind of a heavy weight on the cybersecurity professional side of folks that were a coalition. So we had obviously a great insurance industry team led by some really talented folks in the insurance industry.
00:11:52
Speaker
And Josh obviously able to manage finances and raise money and take care of that side of the business extremely well. It really just kind of took the pressure off all of the cybersecurity minds of the company. And we really had a lot of influence early on, a lot more than probably I see a lot of the other folks in the cyber insurance industry.
00:12:15
Speaker
They focus primarily on insurance products where coalition and its initial focus was really on cybersecurity problem and how do we use insurance as a method to solve those problems and communicate the risks that we see. I think it was incredibly effective at doing that. I think that a lot of folks that are in the industry and small business
00:12:37
Speaker
you know, they want to run their business, they don't want to have to think about and learn cybersecurity. So kind of providing, it was almost like a consulting service, really, of the types of underwriting that we were doing. And being able to communicate that in human language, I think is incredibly important. And I think that the best vehicle for communication is insurance.
00:12:57
Speaker
I can't remember countless times when I was on a call with their cybersecurity guy or their ITMSSP and we're like, hey guys, you really got to upgrade this firewall because of these reasons. And the CEO was like, well, no, we can't do that. And I was like, well, it's fine. If you don't want to upgrade it, this is the difference with premium and it's a couple hundred dollars difference. And then it totally changed the conversation. He's like, wait a minute, why?
00:13:23
Speaker
Well, because it's more risk and this is why. And here's the claims to support the data. It's like, oh, wow, we got really got to replace this thing right now. So the MSSB or their IG security guy was like, that's, this is, you know, they're about to go spend 10 grand to replace the firewall that he's been trying to get replaced for years. But suddenly when the C-suite can see that
00:13:44
Speaker
Oh, the insurance company actually sees more risk and we're going to have to pay more for it. That must mean there's really a risk. And I think it just really is about how those different exposures get communicated. And early on, we partnered a lot with brokers on opportunities to really go through and meet and talk with every single opportunity that we could.
00:14:04
Speaker
And I think that was also a really big part of it. Because we were trying to do something different, being able to communicate effectively and spend the resources and time to actually engage with brokers and be their partner and opportunities, I think really kind of helped us be perceived more as an asset, even though we had a much higher friction process for binding business.
00:14:26
Speaker
It's probably the secret sauce there. We were really engaging the industry as cybersecurity experts in partnership with our insurance industry folks, and we were given a lot of room to communicate.
00:14:42
Speaker
Yeah, I think time and time again, we see insurance as like the perfect vector to push new behaviors from companies. I mean, the shining example that we all see today or saw yesterday, meaning two years ago was MFA. I think MSPs have been trying to get their clients to do MFA for years and then suddenly it's like everybody has it.
00:15:12
Speaker
It is wild when insurance, I've always had the opinion that insurance is the perfect vertical to push cybersecurity behavior and to improve it just across all of the U.S.
00:15:27
Speaker
Um, and coalition, I mean, to echo Abe's sentiment, like it's wild. Everybody that we speak to was like, yeah, I was like employee number six there employee number 10. And so it's crazy how like the coalition tree, almost like the, uh, how they compared to like the bill Bella check tree or, you know, the bill Parcells tree of like NFL coaches.
00:15:49
Speaker
The coalition tree is actually really strong with some of the people that are still making an impact in this industry. I think that it's like in that early time, we were also given an incredible amount of runway from leadership to really experiment and try new things.
00:16:08
Speaker
figure it out. So it's like, well, what do we need to solve this problem? If we detect a risk, how can we avoid that? And there was a lot of effort and time that went into not just the technology, but also the business processes and cycles that we can use to improve that whole experience.
00:16:25
Speaker
Um, so, you know, we're trying to protect the loss ratio, but at the same time, we're also trying to, um, kind of deal with the issues that come with, you know, doing things differently in the industry. Uh, you know, it's that high friction process again, but you know, it's, it's one of those things where I think that because we were able to do that and, you know, maybe a lot of other companies that are, that had more seasoned executives would be like, you never want to do that because it's going to lower your bind rate.
00:16:50
Speaker
We were really kind of given the opportunity to try it out. I really do think it actually moving the needle. I think cyber insurance as a whole, as an industry is actually improving cyber risk for the US nationally. Probably the most effective measure or gains that any other product technology agency has ever been able to do because you're really communicating and reaching stakeholders in a language that they can understand.
00:17:19
Speaker
I have a question about something that we were talking about in the intrinsic discord group. What's your beef with port 3389? Yeah.
Challenges in Underwriting: RDP Port Exposure
00:17:30
Speaker
So, you know, it's, it's really crazy. Um, there was always some, some vulnerabilities and opportunities with RDP being exposed.
00:17:38
Speaker
But there became this kind of like incredible focus from different threat actors on RDP when the Eternal Blue vulnerability got published and there is POCs everywhere to be able to operationalize that. And it's really juicy for threat actors for a bunch of reasons. When they're looking at something that's hosted on-prem, that means there's hard assets where they can go encrypt somebody's network there. So it was kind of like one of those things that solved two problems for them.
00:18:06
Speaker
finding a vulnerability and finding a good target. And so because it kind of really just, you know, became an easy button for them, you know, they just went crazy. And then even after Eternal Blue with Patch, you know, mostly, they still had all this really good targeting data from targeting RDP at all these organizations.
00:18:27
Speaker
So then they're like, well, hey, I've got a whole database of credentials I can throw at this thing. And so even if it's fully patched when it's still exposed, it was just something that they get into that track and that focus. And as long as it continues producing results, then they're going to keep targeting that exposure. I think that the way that the
00:18:48
Speaker
The way that some in the industry have broadly implemented, you know, decline everything with RDP is kind of interesting. I think there's some RDP that's much worse than others. Obviously the hosting classification for that asset makes a huge difference. If it's like an ISP connection, you know, that would be connected to a brick and mortar office, that's entirely different than being on like a, you know, GoDaddy, PPS instance for a marketing site.
00:19:12
Speaker
But I think that the context is key, but creating that context from a technical and underwriting process is actually rather difficult. So I think that's where it frustrates a lot in the industry. It's like you're getting declined for something and the company's got great cyber hygiene and everything else, but they hired a third-party marketing company that's using a subdomain and they're using RDP to manage that site.
00:19:36
Speaker
And just communicating the intricacies of that and helping everybody understand what it is and making the underwriter comfortable and everything else that goes along with it, it takes somebody kind of in the middle in many instances. But it also takes the supporting data to understand what is the real exposure of this asset. Yeah. I think it's one of the things about coalition and a few other
00:20:04
Speaker
MGAs is that they have the technical staff to be able to help translate some of that context to the underwriter. But I think what's even more frustrating is when you're working with more of like a legacy carrier that does not have really any internal risk engineers or cybersecurity professionals and you're just working with an underwriter that kind of spent most of their career in professional liability or management liability and they just like got moved to cyber.
00:20:33
Speaker
And then they run their little port scan and they see there's an exposed RDP and then you cannot have a high level conversation about any compensating controls or any context around it with them. That's even more frustrating. So I do appreciate that at least at coalition and some of the other MGAs that they have staff on hand to be able to help with that translation. But yeah, I completely agree. Sorry, Ryan, I cut you off.
00:21:01
Speaker
Well, I thought what Jeremy said, you know, context is everything, and we talked about that in a previous podcast about how context, when it comes to underwriting, is everything with cyber insurance. Absolutely. I feel bad for so many municipalities that are actually doing things right. Yeah. I can look at them from a, from my perspective, I can say, wow, these guys are
00:21:24
Speaker
really good. They're actually, they don't have anything on-prem. They're all cloud-based. They have good process of everything else, but they get hit so hard just because of the industry class. And it's like, that's frustrating. Because it's really, it's like when they, I feel like municipalities making decisions, they're more likely to pay the extra for the cyber insurance than they are to actually fix the problems they have, which is just going to keep compounding the problem.
00:21:49
Speaker
So, you know, I always liked a coalition, you know, we really kind of went the extra mile on a lot of opportunities to really underwrite the risk instead of the market class. And of course, we're still beholden to, you know, approvals on everything, but there's some that were worth going to the mat for. And I think that when we did, you know, the relationships that we build with brokers because of that was a lot stronger than it would have been otherwise, just kind of, you know, looking at things from industry class or single type of exposure.
00:22:17
Speaker
without really digging into the nuances with that specific risk. Yeah. That's something that we stress on with the underwriters that we work closely with. Surprisingly, there actually are a good handful of underwriters who have the technical jobs that know that they can write based off a risk and not off a class and they'll push some classes through that they normally wouldn't write.
00:22:47
Speaker
And so, you know, it's, it's just good to see that the industry starting to catch onto that and get people within their doors that have the technical chops. I can start to do that because, you know, really, I mean, on the, on the flip side of the coin, you got these scans that have created such like a.
00:23:06
Speaker
Congestion in the underwriting process a lot of these carriers adopted these scans just almost play copycat like Abe was saying and and it's led to so much frustration on the underwriting side when RDP ports open but It really is no threat. You know, it's like you said it was connects to go daddy like marketing website or whatever
00:23:27
Speaker
And then now that MSP or internal IT staff has to get involved and they're talking to somebody that doesn't know what they're necessarily. And it's not even just RDP. It's like any open port is just bad. That's the sentiment. And it's five critical. I mean, the craziest part about that is typically when you're a cybersecurity analyst and you see the nothing,
00:23:55
Speaker
for whatever domain, you know, it's like, this is probably not their primary domain. Yes. Well, that might just sail on through on the folks that are just using the reports and not considering context again. You know, it's like, usually when you get like a nothing, no assets kind of thing, you just have like mail servers and stuff. You're like, you're missing something big.
00:24:13
Speaker
Um, and, uh, yeah, that's, you know, being able to dig into that and understand when that happens, like, you know, that there's a company that has like 150 different domains and they use one that's a new rebrand, but it's not connected to any of their legacy infrastructure. Uh, you know, they'll sell right through those things where, you know, it's like, if you actually have somebody in the mix that can see those and spot those, be like, no, this is like a mid-market company and there's no way they don't have anything. Somewhere special mid-market. Um,
00:24:43
Speaker
Yeah what i know that you also mentioned that there's some interesting things going on in the cyber security world. I love to start digging into that stuff because you know i'd love to bring some relevancy to.
00:24:59
Speaker
recent events going on right now. Absolutely. I think that over the last year, there's been a trend for adversaries to start looking at their own lens of risk aggregation, finding those pockets of instances where they can compromise one company that facilitates access or massive impact to many.
00:25:20
Speaker
And we kind of saw this over the last couple of years with different third parties, I think like Kaseya and a few of the others that kind of hit hard in the industry, especially around some kind of classes.
00:25:33
Speaker
Um, you know, and there's the threat actors have kind of like, again, like just like RDP was the piece of cheese they kept chasing. Um, you know, this kind of risk aggregation scenarios are like whale hunting is kind of like their new thing. Where we see them dedicating a lot more time towards open source research and reconnaissance and really trying to target, um, you know, specific companies that are going to enable a much broader impact or access.
00:25:59
Speaker
The manufacturing industry right now is in particular being targeted. And it's kind of like a really, I think, critical way where they're targeting the companies that produce the software and control systems to automate a lot of the manufacturing processes.
00:26:16
Speaker
And that's really a concern. Those companies tend to have support access to a lot of places to support customers. And I just start thinking through the different scenarios that are possible there. And it kind of really worries me about what can happen in the next quarter or so. Just because I see that they're focusing on something where I know that there's
00:26:39
Speaker
a Nexus there that is going to be facilitating the type of target they're going to look for. And I see this is probably going to be something that happens probably within the next quarter that we're going to see the manufacturing industry being targeted by these different threat actors.
00:26:55
Speaker
And just reviewing it from my perspective and the data that we have, looking at the kind of vulnerabilities that exist for those kind of companies that the ones that manufacture the control systems and the software wasn't really reassuring. It seemed like there's likely to be some future incidents. And in fact, there has been an uptick in things like infostealer infections and some of those companies already just in the last week.
00:27:29
Speaker
You all have the intelligence to start to see upticks in certain categories like that.
Internet Weather Report for Threat Intelligence
00:27:34
Speaker
It's almost like if you're related to that to a property insurance market, like, Hey, uh, we see a hurricane coming or there's a tropical storm off the coast of California or off the coast of Florida. Like we can't bind any more accounts until this is like eased off. Right. Um, and I don't think they don't, we don't have that type of threat intelligence right now in the cyber insurance space. So.
00:27:46
Speaker
So it seems like that's kind of well underway.
00:27:58
Speaker
Like that, that's where my mind went a little bit there, but yeah, it's actually one of the things that we literally want to produce like the internet weather report. Yeah. And even the logos are picking for products are actually different, like flags for different categories of types of storms and stuff. So it's like, uh, you know, it's, uh, yeah, we see that, you know, having that kind of wide perspective.
00:28:19
Speaker
you know, you can kind of look and see what's going on. And I think it's really helpful because as, you know, underwriters and others use that kind of tool over time, they're going to get some familiarity, um, you know, with, you know, again, to cut broader context on what's going on. And I think that that's going to give them a lot of, um, kind of additional knowledge or insight and the types of risks that they're looking at and maybe the things that they can, you know, knowledge they can share with their opportunities they're chasing.
00:28:47
Speaker
What is the scope of these findings? What are you looking for? Is this all public facing information? What is the substance of these findings?
00:29:07
Speaker
Yeah, so there's part of the information that's public facing. A lot of what we use for enumeration to discover all the assets that a company has that exist within their company or in the case of a holding company, the portfolio, all that stuff is really done pretty much open source.
00:29:26
Speaker
some of the datasets are bulk feeds that are something you could just go get for free. You have to either create those or buy those, like all the IP address registrations and BGP route information and DNS records and DNS who is.
00:29:41
Speaker
All those things are really helpful for kind of formulating what an entity's assets are. Then we have some other, a lot of the other sources that we use to look at risk right now are either sources we've developed or ones that we purchased. So like the internet scan data, we partnered with a company called DriftNet just because they have really good resolution. It's a relatively new company and their approach kind of really fit what we would have tried to build.
00:30:09
Speaker
we had to build it. So we partner where we can, but if we can't find a good partner for the type of data that we know would be helpful for this type of risk analysis, then we'll build it. You know, Cogility is a company where, you know, it's like 90 something percent engineers. So all engineers, so tackling these problems and building these things is like,
00:30:32
Speaker
It's fun, and it's like everybody wants to be in that stuff. So we kind of have like a single hive mind when it comes to engineering problems in focus, which is really good for tackling some of those. We're also partnering and doing collection on things like buy net logs. And we have some other types of internet telemetry that are much broader that we're doing. One of those in particular is some net flow analysis.
00:30:58
Speaker
We really try to be cautious about how we're leveraging that capability. So we're collecting flow from adversary infrastructure only, and then we post-process that to identify all the signals that interact with US companies. But that's a really notoriously difficult data set to work with.
00:31:18
Speaker
uh, because the signal to noise ratio is just off the chart. Um, but when you do find interesting signals that are useful in there, they're incredibly informative and it's, it's near, it's like real time, uh, telemetry. So it's, it's very helpful, um, and providing additional context. So if you see a vulnerability like
00:31:38
Speaker
Microsoft Exchange Server that's vulnerable. And, you know, as an underwriter, you'd say, okay, that's a big vulnerability. But the question in your mind is, is somebody already compromised that? Am I going to be writing a claim here? Or is this something that I can communicate with them and work with them? And we can probably get this remediated. Because some of those things that have been exposed for a while, you know, as an underwriter, like,
00:32:00
Speaker
Ooh, that's a bad one. The question is like, I wish I knew if there was already a problem there. And that's the part that the flow can fix is that, you know, we can see if there has been exploitation or exfiltration from that vulnerability already. And that really helps inform of like, you know, if there's corrective actions that need to be taken, you know, it needs to be more than just patching it. You've got to do some IR and get in there and actually fix the problem or you have another issue in the future.
00:32:28
Speaker
God, that is, um, incredible stuff. Like that is, I think a lot of companies have been trying to practice telemetry, uh, or, you know, telematic type of, um, reading on threat intelligence and this on the face of it, from what you're saying, uh, you're a hell of a salesman, Jeremy, but
00:32:55
Speaker
This sounds really impressive. Just going over my head, it solves a lot of the issues that I think we have in the insurance world right now. There really is no real-time telematics of how risky a portfolio is in insurance. I've had conversations with three insurers, I've had conversations with
00:33:19
Speaker
Harriers and their biggest thing is like, how can we take a, you know, how can we have a real time view of our book and what the risk is of our book? Like, you know, in an instant. Yeah. Um, and they, a lot of them have come to the conclusion that it's not possible, but this kind of seems like it's making it possible.
00:33:39
Speaker
Yeah, the internet scans and the attack surface scans are some data, but it's really just data. It's not really intelligence until you add some additional context, either trends on technologies, even things like Citrix, Fortinet, Pulse, those things that have just been time and time again issues.
00:34:00
Speaker
they probably are going to continue to be time and time again issues because now threat actors are defending resources, trying to find the next exploit for those devices. The ones that are really common and have big exposures are just going to keep going back to the watering hole.
00:34:16
Speaker
So for the internet scan data alone, there is a little bit of intelligence you can derive from it if you compare broader trends. And past claims data is fantastic for that. If you see a technology that's continuously causing claims, even though it's different vulnerabilities and different CVEs at different times, there's some technologies that are just more prone. Companies in the cybersecurity space, those VPN devices that grew through acquisition are particularly a problem.
00:34:44
Speaker
just because of the complexities of software integration and everything else. Those tend to be some of the biggest magnets. Other just massively complex software like VMware, it's just like you really just can't put these things on the internet because it's a matter of time before there's another vulnerability. They're massive pieces of software and they have so much functionality. Each one of those functions is a new attack surface really. And it's just going to continue to trend that way.
00:35:14
Speaker
You can only get scopes so far with scan data because you still have to make a lot of assumptions. You still have to really lead yourself there. And that's where there's a lot of hesitance. It's like, you know, well, I feel bad that this is there and this looks like it could be an issue, but there's no vulnerability today. So we'll write it. But if you look at those things in broader context or you have additional signals like, you know, stealer infections, like flow data,
00:35:36
Speaker
And those other things that can add new categories of signal that can really help inform an underwriter of, okay, so I see this risk, but what's really going on there? And what does that look like over the last six months to a year? Where is this trending? And I think that those are signals that are really important for both underwriting and continuous risk management of a portfolio.
00:35:58
Speaker
Yeah, you guys are like the third dimension. I mean, you've basically added a new dimension towards scanning like CVU would be 2D. And this is 3D, basically. Yeah, it's also really useful. Like we're trying to work with government agencies that are kind of charged with these things. So like when there's a new thing comes out like the move it vulnerability. Well, you know, we can produce a report that shows all the critical industry, you know, or a critical infrastructure sector companies that have that exposure.
00:36:25
Speaker
So, in a way that might be able to help prioritize how you engage with stakeholders and who you engage with and what process to maximize the effort to lower the impact on the specimen exposure. I think that's really going to be really helpful for managing a book as well because you'll have a prioritized way to address exposures when they come out.
00:36:45
Speaker
Um, you know, it's, instead of having to go look through those things or wait for updates from scan data, you can really just kind of say, okay, we know this new zero data is out there. It's being actively exploited. Here's, you know, the hundreds or so companies that we have in our portfolio that are exposed, but here's the ones that have $10 million limits. Yeah. Let's call them. Yeah. So that, that kind of answers, uh, the question I was going to ask.
00:37:15
Speaker
I'm just curious, what are you looking for when you say that the manufacturing industry is prone to getting hit pretty hard the next coming quarters? What sort of signals are you looking at that's telling you that?
00:37:37
Speaker
Yeah.
Vulnerabilities in the Manufacturing Sector
00:37:38
Speaker
So my process on that was I noticed that there was an uptick in, uh, malware infections for one specific company. I won't name names, but there was one company that was a pretty big name in the industry and they had, um, over a hundred different sessions to one of their actual assets.
00:37:56
Speaker
in a new set of botnet logs that is out in the wild right now. And I thought it was abnormally high. And so I went to look and see what exactly is that. It's like the remote access technology for every single thing that they have globally. So just looking at how that was set up and how that system was architected, probably back in the 90s, that made sense at the time. But really, it's a gateway to the entire company's infrastructure globally.
00:38:24
Speaker
And just the amount of results that I saw there was pretty staggering. So that to me is a huge red flag that there's some mayhem impending here. It's one thing to see the logs, but there can be a lot of compensating controls or mitigating controls a company can use to really defend against that.
00:38:44
Speaker
But just looking at those signals plus the combination of the infrastructure that they have today and how it's configured, I see that as a big easy button for adversaries and they're going to see it that way as well. So it's already begun to a certain extent.
00:39:03
Speaker
Yeah, they, well, they definitely have the data they need to act on that objective if they discover it. And I'm pretty sure just seeing some of the targeting trends and especially the kind of cyber criminal focus on industries that have typically paid out quickly with very high amounts. I know that that's a sweet spot. So I can't imagine it's going to go unnoticed very long. You know, it's like you have a handful of companies that really kind of have that exposure or that kind of presence in the marketplace in the manufacturing industry.
00:39:32
Speaker
And this was one that just kind of is just huge. And so I can't imagine, you know, somebody sooner or later on the threat actor side is going to stumble on that and they'll make use of it. Yeah. To get the, essentially to get the credentials for those devices, for hundreds of users, they'd probably have to spend 20 or $30.
00:39:52
Speaker
Um, a barrier to entry there for the threat actors. It's worth taking the shot. They probably will. Absolutely. Sounds like this is all, this is all prank though. If you are a threat actor, trap, it's actually the company because it's, uh, yeah. Um, but I mean, we have other, there's a lot of industry partnership and also, uh, public private relationships with law enforcement and others.
00:40:19
Speaker
to share information like this. And there's a lot of participants, a growing number of participants in companies that specialize in threat intelligence collection like this. I know that there's going to be at least two or three different companies that I'm really familiar with that'll be reaching out on this specific issue that are engaged. So hopefully they can get ahead of the curve.
00:40:40
Speaker
But it's like a cat and mouse thing. In one way, you want to inform the industry and speak with a megaphone about these issues and exposures. But the same way, you don't want to just create an RSS feed for a threat actor. It's just going. Such a race, yeah. You also talked about the aggregation of risk. A system like Kaseya,
00:41:06
Speaker
You know, we're going to, uh, we're actually going to be having size shirts on, um, next week, uh, on the podcast and, um, yeah, they're, so they are the warranty paper behind, uh, can say as new, new warranty program. One thing, um, one thing that,
00:41:28
Speaker
blows my mind about, uh, these warranty programs is that they are, you know, you're partnering with a system that's deployed to every single one of their clients. And so if there's a, a systemic impact on Kasea, which we've already seen before, you know, every client gets impacted and the book gets blown up. And so, yeah, I'm just curious, like, like I just, what are you seeing from, cause I see that as a major risk, like Kasea is all these,
00:41:57
Speaker
aggregators, but what's the threat intelligence looking like on that? It's
Risks of MSSP Services with Cyber Insurance
00:42:03
Speaker
pretty tough. I'd have to read the warranty. If it's dependent on the configuration, there's a lot of MSSPs that don't configure things properly or don't have MFA. It's like, what are the requirements for that to trigger? I guess it'd be one of my first questions. But also, to your point, to me, that just sounds like
00:42:25
Speaker
an unmanageable risk because it is a tremendous aggregation. And because it's like when I see other companies that are pairing things like MSSP services with cyber insurance policies, I kind of like...
00:42:40
Speaker
It's such a good idea, but it's such a bad idea. In one way, you want to be able to detect things and respond to them, but now you're really on the hook for that and it's difficult. It's a very difficult business to scale without losing results. Being a defender for one company is very difficult.
00:43:02
Speaker
being a defender for hundreds of companies is extraordinarily difficult. It's also the tools you're deploying to do that are creating more attack surface. It is a huge aggregation because now you have one tool that essentially can torch your whole book. From my perspective, I liked the idea of it from a
00:43:25
Speaker
purely theoretical perspective, but from a practical application. I mean, there's just so many things that can go wrong. It seems like it would just be a matter of time before something. So does it seem like when we're talking about aggregation of risk or systemic risk, there's a lot of the conversation, and I think we went back and forth on LinkedIn about this, was about
00:43:53
Speaker
you know, industry verticals and systemic risk with, you know, causing essentially an industry to go down, but it seems much more likely that the, the risk is probably with, you know, dependencies, right? So.
Systemic Risks: Cloud Providers vs Industry Verticals
00:44:15
Speaker
There's not a whole lot of cloud service providers, so if a major cloud service provider had significant downtime, would that cascade across just various industries? Is that the way that you see the most damaging systemic risk or
00:44:36
Speaker
Yeah, talk to me about that, just your view on that. Yeah. So I think that those, it very rapidly gets into the theory perspective because none of those events that are really being postulated as these catastrophic risks have actually ever happened. And so in one way, it's really easy to sit there and come up with doomsday scenarios all day long that would be massively impactful and terrible.
00:44:57
Speaker
But in reality, even thinking about this from the attacker side for perspective, just thinking about how difficult it would be to pull off some of those attacks.
00:45:07
Speaker
Um, and what would you get from it? You know, as a, as a cyber criminal, what's the, what's the reason or how are you going to recover the amount of effort and expenditure and resources that it takes to actually act on that type of objective? Um, you know, and it's almost seems like for things to really get to the point where some of those cat scenarios actually be realistic, you'd almost have to have like, it would be like,
00:45:30
Speaker
I don't want to say it, but it would have to be a major conflict. So I just think a lot of emerges completely unrealistic when we see these massive numbers proposed. I think that the cyber attack on the, what was it, CIBC, the big Chinese bank recently, they're really good example of that. I've seen people propose that that type of attack would have caused trillions of dollars of loss
00:45:56
Speaker
Turns out, probably not so much. So I think that it's really easy to theorize these things, and it's much easier to convince people that this doomsday scenario is plausible, and it's going to be terrible and catastrophic than it is to get people to say, hey, let's take a practical approach to this from both sides of the coin. You have to have an adversary with motivation to really affect this.
00:46:15
Speaker
And you have companies like all the cloud service providers spending billions of dollars on disaster recovery and resilience. So it's like, how are we going to balance this coin of what could be accident? What could be threat actor driven or maybe global event driven?
00:46:32
Speaker
But we don't have any data to actually support any of those major catastrophic events yet. And so until we actually have a real example to look at, I don't think it's really worth kind of speculating on what the risk would be because as more, we see more and more of those cat type events actually happen in the real world.
00:46:49
Speaker
The loss really seems to be broadly mitigated a lot more than anybody would have really expected. Like I thought the CIPC outage would have had much more impact than it actually did. So it's like not even hundreds of millions. And the proposed theory for something like that was in the billions or trillions of dollars. These things just don't add up. And I think until we have real world data,
00:47:15
Speaker
Nice to think about cat risk and keep it in mind for some scenarios. But really we have to look at concrete data. Yeah, I feel like that most of the reports were done by actuaries who have really very
00:47:36
Speaker
minimal amounts of the understanding of attackers and cybersecurity. And I think they set their upper bounds to literally the, the entire world economy, understand how they, how they got to, you know, numbers with, with, you know, trillion at the end of it. But yeah, I honestly think that they like calculate it and they, you know, they get to the number and it's almost like you're taking that test where all like you get a number and it's not on like any of the four options. And they're like,
00:48:04
Speaker
I guess. One trillion dollars is the systemic risk impact. Those are usually the same folks in the industry that say cyber risk is uninsurable and the government should insure it. It's like cyber risk, in my opinion, is the most insurable type of risk because we can actually develop intelligence to predict and mitigate these things before they actually happen, which you can't say with almost anything else in the insurance industry.
00:48:31
Speaker
So I'm in full disagreement with all those things that think that cyber insurance isn't possible. They say things like the growing number of vulnerabilities is growing every day, therefore the risk is going to be growing unmanageably through the future. It's like, well, the statement of more vulnerabilities is
00:48:52
Speaker
are going to happen is true. It's really this kind of false dichotomy of you're not considering the millions of other factors that go into that. I am so with you. I think cyber insurance is going to flip the insurance world upside down with how insurable it is.
00:49:12
Speaker
Absolutely. For me, I can see an intelligence-driven approach towards underwriting, starting in cyber insurance and actually spreading through other areas. We have the technology to really underwrite risks, not industries and locations and things like that. Really, it's just about the industry orienting, turning this huge aircraft carrier in a different direction.
00:49:42
Speaker
I wish we had Barry on here right now. Just to give everybody listening a little TMI, I had that, that was a shower thought. I'm like,
00:50:01
Speaker
God, like this is going to be the, this is going to change the whole way we do insurance because it's the, it's the first insurance product where we can, um, basically track like every single asset that we're, we're ensuring, you know, we're, we're not there yet, but we're working towards like.
00:50:18
Speaker
you know, data management, vulnerability management, controls, compensated controls, like all of these things are all coming together. And I think we're not too far off from making this an extremely profitable industry and changing the way we operate.
00:50:35
Speaker
integrated risk management programs along with cyber can impact the risks so much. There's a lot of motivation for both parties, both the insurance company and the client to kind of collaborate on those things. I think this is the fact that it kind of creates that partnership where you're getting a lot of data and services from your insurance company. I can see those creating much stronger relationships that can potentially even help those risk management programs grow beyond cyber to encompass other business areas.
00:51:05
Speaker
But I see that the amount of value uninsured can get from a good risk management program driven by a real partner on cyber risk is just incredible. It's going to save them. If they prevent one incident, that could be the company existing or not existing. We're seeing so many companies go bankrupt from wire transfers or ransomware. It's like if they had coverage, they probably would still be in operation.
00:51:32
Speaker
And I think more and more business owners that talk to each other are saying, okay, yeah, this actually works. It's like cyber insurance is the most effective cybersecurity product you can possibly purchase. Completely.
00:51:46
Speaker
But is it too cheap? That's my, that's always my, that's always my, uh, challenge of like, you know, speaking with a, like, let's say you have to speak to a small business owner. They don't really have much of a budget per se on cybersecurity. And they're like, Hey, I can buy $2 million worth of cyber insurance for $5,000 a year, or I can spend $60,000 on a cybersecurity program.
00:52:14
Speaker
It's hard, it's hard to explain to them why you need both. Yeah. Well, you know, it's like, it can, it's like, it's like, well, you almost get like one shot at that. So if you want to run that way and you have a big claim and there's, you know, in the IR, it's like, well, they didn't have any, you know, default password and everything and everything else. Like, you know, that kind of forensic report is pretty much going to do you. Um, but, uh,
00:52:39
Speaker
Yeah, it's tough. I think that, you know, as more and more companies, cyber insurance companies start to really get more integrated and start to push, you know, kind of a risk management programs or at least awareness, they're going to be able to get feedback and understand, you know, who are the good companies in that category and who are the ones that just don't care. You know, it gets back into the classic hazards categories, you know, but yeah.
00:53:09
Speaker
Yeah, that's definitely valid. I can definitely see that being the issue. I think I've probably been on calls with some of the business owners that made the decision that way. Well, the most successful way that I've seen recently is like, especially for these smaller businesses that
00:53:27
Speaker
You know, they just, they just don't have the budget and they don't see the need. And, you know, I mean, there's tons of insurance brokers that don't think cyber insurance is necessary and it's all like, you know, luxury product. So I can't blame these small business owners
Third-party Cyber Health Awareness: Lessons from Target
00:53:43
Speaker
too much.
00:53:43
Speaker
Um, I've seen on the, like on the vendor risk management side of things, you know, these vendor contracts requiring, you know, minimum controls or, you know, certain cyber insurance limits. Is that, is that one of the primary use cases of casualties on the, on the vendor risk side of things, like getting intelligence on who you work with so that we could potentially prevent things like what happened to target? Obviously that's one that, that comes to mind.
00:54:11
Speaker
Yeah, absolutely. So because we're looking at the market, you know, as a whole, you know, how you choose to use it from a first party risk mitigation or a third party risk mitigation is totally open. You know, every company I think could benefit from having this type of, you know, a little bit more than attack surface management, this kind of data. But you know, even extending into the partner ecosystem, you know, you have a lot of companies that are highly dependent upon partners, even just being able to
00:54:38
Speaker
have availability to deliver, you know, without business interruption. So even some of those things could be really, really sensitive to certain companies and being able to at least understand the risk exists and maybe like diversify or find a way to manage that risk, I think is very important. You know, even companies like Apple, when they're looking at who manufactures the little motor that goes on the phone that makes vibrate, you know, they diversify their supply chain and certainly the risk and exposure for those companies that exist in that supply chain are also a factor.
00:55:07
Speaker
because that delays the release of a phone a month. It's like, how much does that cost them? So I think even small companies need to consider who are the most critical third-party entities that I rely on on a day-to-day basis. And they need to know about the cyber health for those entities, because if they're not available tomorrow, because I get hit with ransomware,
00:55:29
Speaker
That could be massively costly, even though it's not the company that's experiencing the incident. There could be a lot of loss of revenue due to those kind of things. Also, I guess from the data perspective, if you're a hospital and you have all these different insurance companies that you're integrating with for medical billing and everything else, you need to know what's going on there when you're giving them network access to your resources with very sensitive information.
00:55:56
Speaker
Um, because, you know, the, the, the liability, you know, rolls uphill, I guess, you know, I think that's a,
00:56:06
Speaker
That's another thing that can help push the cybersecurity industry forward is vendor management and keeping your vendors accountable. That's just something that people don't have today. You basically get into a contract, hey, we need you to have insurance and that's pretty much it. Yeah. There's a lot of companies that use existing commercial products for managing that type of risk from a compliance perspective.
00:56:35
Speaker
But when I get on a phone call with any of the cyber folks at those companies, their feedback from those products for actual cybersecurity is not very good. They lament over things like, look, we got fixing expired SSL certificates. That's our priority this month. Really?
00:56:55
Speaker
Like they lament over the fact that like some of those companies have really kind of made a business out of dressing up very mundane findings to be super critical things just so there's a red dashboard on the sales call.
00:57:06
Speaker
And it's definitely met the ire of the actual technical folks in the cyber industry. Yeah. I think this is a good point that businesses should start to look at cybersecurity as an investment for not just keeping your own company secure and operational, but
00:57:31
Speaker
You can go and you can win contracts if you have good cyber security, uh, that can set you apart. Um, I've, I've seen it already. And I think that's a message that business owners should start to, uh, take in a little bit more and use some foresight here. Yeah, that's very true. Yeah. Awesome.
00:57:52
Speaker
Go ahead, Tare, I interrupted you. I was just going to say, any company that's experienced or been in the orbit of a company that's experienced a cyber incident really get a firsthand education on how important that is. As time goes on, like you're saying, more and more companies are going to see that as a strategic advantage if they're partnering with companies that have relatively good cyber hygiene and they're insured.
00:58:19
Speaker
They're going to feel a lot more comfortable with those partners than they would otherwise. It's a great point. It's a great point. Well, this has been fantastic.
00:58:33
Speaker
to all the other podcast guests that I've been on. Close your ears. This has been probably one of my favorite episodes by far. I really appreciate it. Should we keep saying that? It keeps getting better and better and better. This was absolutely fantastic, Jeremy. Yeah. So I appreciate you coming on, man. Where can people find out more about what you're doing and connect with you?
00:59:01
Speaker
Yeah, coagility.com is my company website. I'm available on LinkedIn and I'm happy to set up a meeting, jump on a call. I live eat and breathe this stuff and I love talking about it and sharing. So if anybody wants to connect on something, please reach out and I'll hook you up with some data or whatever you need. Awesome. Awesome.
00:59:23
Speaker
Yeah, Jeremy's also in the Insuresag discord group, pretty active on there with some of his friends as well. So we're super thankful that they're in the group to balance out some of the opinions and perspectives that some of us have. Awesome. This has been fantastic. Thanks so much for coming on.