Well, that was Awkward.

Well, that was Awkward.


Well, that was Awkward.

Finding Risks others may Miss

It wasn’t the call we wanted to make to a new enterprise client on a holiday weekend. After all, they had an Information Security Department larger than our entire company. The CISO had an alphabet of certifications following his name. They had more than 50 different security tools. But there it was, plain as day. Bad guys are sending data to Russia from their production network. This can’t be good. Gulp. Here goes. Ring. Ring.

The Issue

“Bad guys are sending data to Russia from their production network. “

The first call we made to our technical contact a few days earlier fell on deaf ears. Our team had seen evidence of a remote access tool (Team Viewer) running in their network. They told us we had to be mistaken because that wasn’t allowed by policy. Well, here’s a packet capture of the traffic, we said. Nothing came back from the client. We tried several times. Each day the activity was getting louder. The same internal IP address and host were involved somewhere in the corporate office. The client had top-of-the-line Endpoint Detection and Response (EDR) tools deployed, an expensive Security Information and Event Management (SIEM) platform, and state-of-the-art firewalls, along with a fleet of guys from one of the big advisory firms watching and monitoring everything. Why couldn’t they see it? What was this anomaly inside the client’s otherwise relatively clean production network?

We came in to provide a Proof of Concept (POC) of services using our PacketWatch full-packet capture platform. The POC was a joint project between the Information Security Team and the Network Department. Information Security wanted better visibility on the network, and the Network guys needed a tool to help diagnose application performance and configuration problems. A perfect fit for us to join the team and show them what we could do. We had the CIO and the CISO in the room together. We were on our best behavior. Our devices were installed only a week prior, but we already had tons of data collected. What was going to happen to the POC now, though?

We called in again. No answer. Shoot. Got his voicemail again. We left an urgent message and called everyone else we had met. “Please call back. This is urgent! We have exfil activity originating from the host we identified earlier. It’s also beginning to scan that network segment.” Danger. Danger. It was our best effort to ring the fire bell, but we were just the new guys. About an hour later, our senior project lead received a call from the client’s technical contact. It seems they had just declared an incident and enacted their Incident Response (IR) protocols. He couldn’t talk but would share the details later. Yes, we had seen something! Something big.

A few hours later, the contact told us that the offending device we had seen was a self-service Human Resources (HR) kiosk from a new vendor which had been installed in the corporate cafeteria. It was there to capture employees’ enrollment data for an employee benefits campaign. The device had been installed on the wrong network segment in a rush to get it operational. Since it wasn’t a company device, no EDR was installed. The vendor’s 3rd party IT company managed the kiosk remotely (using TeamViewer). Unfortunately, the vendor’s IT company experienced a breach the week prior. The bad guys used the open TeamViewer connection to access the kiosk. Using the kiosk’s network connection, they were now performing active reconnaissance on our client’s production network. They were also actively exfilling the employee data captured by the kiosk—what a mess. The lawyers will surely get rich on this one. Internal Audit will also document the “multiple cascading control failures stemming from a supply chain partner breach.” Ouch. And our contact admitted, “Yes, you had seen it first!”

Although that initial assignment was not exactly what we expected, it allowed us to show the strength of the PacketWatch platform in providing visibility to the network and the benefit of having a different vantage point from their library of other tools. It also showcased the ability of our team to see what others miss. We earned our spot on the team on that occasion. A relationship we treasure to this day.

A Change in Perspective

PacketWatch can help you get a better perspective on your organization’s cybersecurity risks, too. An Enterprise Security Assessment using the PacketWatch platform will tell you more about what’s hiding in your network – especially things from your vendors. Our team of experts is here to help, and we’d enjoy the opportunity to earn a spot on your team. However, if possible, we’d prefer something a bit less dramatic to get started.

Give us a call at 1-800-864-4667, or reach out via our Contact Us form.

N.B. The names were changed, and certain facts were modified, in an effort to preserve our client’s confidentiality yet share the story.

Yes, But Does It Actually Work?

Yes, But Does It Actually Work?


Yes, But Does It Actually Work?

Comparing and Choosing Cybersecurity Tools

RSA Conference Survey

A survey conducted at this year’s RSA conference summed up a looming problem in the cybersecurity realm. Forbes reported that:

  • 53% of the responding businesses feel they have wasted more than 50% of their cybersecurity budget and still cannot remediate threats
  • 43% of survey respondents say their number one challenge in threat detection and remediation is an overabundance of tools
  • 10% of organizations lack effective tools for remediating cybersecurity threats

Conglomeration of Tools

As we enter a time of economic slowdown and rising threats, now is not the ideal time to reduce cybersecurity budgets. Rather, you need to ensure that every dollar you spend leads to real measurable results. The typical midsized company has 50 to 60 security tools, and enterprises can have up to 130, according to Anomali. The best way to evaluate your unique conglomeration of tools, people, and practices is to look at how effectively it stops attacks. Ideally, this testing would also serve as a training opportunity for your security team. That’s where PacketWatch’s Active Security team comes in.

An Example

I recently spoke with a CEO who completed a merger with a competitor. He assumed the other company had spent as much on their cybersecurity tools as he had. The challenge he faced was how to sort out the tools they would use going forward in the new organization. He just wants it to work.

Opinions abounded from team members about which tools to keep and which to retire. Tempers flared when each team member’s ‘sacred cow’ was placed on the chopping block. I suggested he consider a slightly different approach. I advocated that he set forth a simple goal to the team — keep the set of tools that performs the best in stopping or detecting likely attackers from getting to the crown jewels. Hard to object to that.

Simple Goal

“Keep the set of tools that performs the best in stopping or detecting likely attackers from getting to the crown jewels.”

To make this happen, I suggested he bring in an outside “Red Team” (PacketWatch in this case) to work side-by-side with his internal defenders – creating a custom “Purple Team” exercise. With PacketWatch’s Red Team members emulating the Tactics, Techniques, and Procedures (TTPs) of identified threat actors, the participants could objectively say which tools could best detect, deter, or defeat the threat actor.

The ineffective tools could be retired and/or processes modified. Another benefit of Purple Teaming is the experience the internal team members would gain from seeing an attacker’s behavior and learning how to react quickly using the tools. That turned out to be a winner for the CEO, and it can be for you too.

Next Steps

Your cybersecurity budget will likely face scrutiny from your CFO this year. Why not arm yourself with a proven methodology for optimizing your security tools and retiring any ineffective ones? The result will be a more efficient use of your security budget and some real-world experience defending your network from adversaries for your team. If you’d like to Learn More about a PacketWatch Purple Team engagement, call us at 800-864-4667. Our team of Active Security experts will scope a custom exercise for your organization.


Higher Cyber Insurance Loss Rates Mean Big Changes for Businesses

Higher Cyber Insurance Loss Rates Mean Big Changes for Businesses

Blog | Event

Higher Cyber Insurance Loss Rates Mean Big Changes for Businesses

On July 12th, The Arizona Tech Council convened a panel of experts for a forthright discussion about cyber insurance. The panel, moderated by PacketWatch’s CEO, Chuck Matthews, included industry experts Anthony Dagostino, CEO & Founder of Converge Insurance; Chris Branch, Chairman of ATS Underwriting; Wes Gates, CIO of the Arizona School Risk Retention Trust (the Trust), and Tracy Foss, Senior Program Director, Risk Program Administrators, a division of Arthur J. Gallagher. The specialist panel explored current market dynamics, discussed changes in underwriting practices, and shared experiences with the claims process. The goal of the discussion was to help member businesses understand how to effectively use cyber insurance in their arsenal of risk management tools and avoid common pitfalls.

Recent estimates show that the $4.8 billion cyber insurance market is growing at a rapid 25% compound annual growth rate (CAGR) and is expected to triple in the coming years. However, as a result of poor underwriting, direct loss ratios have ballooned to unsustainable numbers. Over the past two years, nearly 70¢ of every dollar in premium went to cover losses from claims involving ransomware, funds transfer loss, and business email compromise-related claims.

The resultant impact on businesses as insurers seek to stem losses is huge and wide-reaching. Smaller businesses are reportedly being priced out of the market entirely. For others, cyber insurance premiums are skyrocketing with an average 97% increase in 2021. Some companies experienced up to 300% increases. Businesses lacking key cyber controls were not even renewed. Panel members said they expect that trend to continue. In the first quarter of 2022 premiums for the top 25% of businesses increased an average 83.3%. Companies experienced other impacts from loss mitigation methods employed by the insurers including:

Key Takeaways

  • Read the Policy! Make sure you understand what you are getting and the requirements you are obligated to follow.
  • Make sure you know the Insurer’s Panel Providers which you are required to use in the event of a claim!
  • Expect more changes to coverages, policy language, premium increases, and underwriting practices.
  • Consider preventing losses with additional controls or self-insuring some 1st party risks to reduce premiums.
Cyber Insurance Lost Rates Mean Big Changes
  • Reduced Policy Limits – Policy amounts were reduced by a third or half as industry capacity dropped
  • Increased Deductibles or Retentions – for one small business going from $25k to $150k
  • Coverage limitations – including new coinsurance provisions for ransomware; new exclusions of certain types of losses, and new sublimits for others
  • Greater underwriting scrutiny – multiple applications and technical addenda focused on the existence of key vulnerabilities
  • Tougher claims management practices – strict use of panel providers, denial of claims based on application deficiencies.

Shared Experiences

The panel explored and shared experiences on several other topics impacting the use of cyber insurance including:

  1. The applicability of “Act of War” and “Terrorism” policy exclusions in light of nation-state and state-sponsored malware campaigns given recent “special military actions’ with Russia and Ukraine
  2. Conflicts in legal representation and the insured’s loss of control when panel legal counsel and responders are involved
  3. The vicious cycle of ransom payments by insurers creating the need for more cyber insurance to cover ever larger ransoms to criminal organizations
  4. The impact of non-standardized policy language and definitions hindering coverage comparisons for those actively shopping policies
  5. The risk of paying ransoms to potentially (OFAC) sanctioned entities/affiliates given warnings from the US Treasury and others
  6. Small businesses are being priced out of the market or excluded because they lack some protective controls of larger organizations
  7. Recent litigation surrounding voiding policies due to inaccurate application materials submitted by the insured
  8. The practical impact of insurers underwriting at the time of claim rather than at the time of application and the resultant uncertainty created
  9. The difficulty in managing overlap between conflicting or duplicate provisions in other insurance policies (e.g., crime coverage in a package policy vs. stand-alone cyber policies)
  10. Obligations to use Insurance Panel Counsel and Responders with Reservation of Rights and very large deductibles
  11. Whether policies offering bundled pre-breach, response, and post-breach services were beneficial to the insured vs. managing the effort internally
  12. The necessity to quantify potential 1st- and 3rd-party liability before selecting a policy and limits
  13. The need for a government backstop for systemic risk and terrorist activity to promote additional capital necessary for market growth

Final Thoughts

The panel concluded that ultimately businesses must carefully read every word of the policy being offered, shop around to the myriad of insurers, obtain expert help where needed and judiciously consider what they are purchasing. Five years ago, cyber insurance was relatively inexpensive, and its promises seemed relatively clear and simple. The panel concluded that is no longer the case and businesses can expect more change in the cyber insurance marketplace in the coming years.

If you are considering cyber insurance and would like to discuss the alternatives for your organization, give us a call.