IT disaster recovery, cloud computing and information security news

Cyber insurance is an important tool in overall cyber resilience, but obtaining it, and ensuring that any claims will be paid out, requires ongoing attention to other defensive areas. One of these is identity threat detection and response, and in particular the protection of Active Directory. James Doggett explains further...

Given the rise of ransomware, breaches, and cyber attacks - and the accompanying risk of reputational damage, compliance violations, penalties, and IP loss - many organizations look to cyber insurance to protect themselves from the financial damage associated with an attack. However, some are struggling with the escalating cost of cyber insurance and the need to demonstrate a strong security posture.

The potentially exorbitant cost of such claims and the complexity of safeguarding increasingly complex digital ecosystems means that such coverage can be pricey. Plus, qualifying for a policy isn’t a given. Even with coverage, organizations that suffer an attack can find that an oversight in their security stance leaves them with a rejected claim. Therefore, relying solely on cyber insurance to protect your IP, customer data, and public reputation is a risky bet.

Fortunately, many requirements for cyber insurance coverage overlap with best practices for effective identity threat detection and response (ITDR). Therefore, to increase compliance with insurer requirements, such as implementing steps to protect Tier 0 assets like Active Directory (AD), while at the same time, decrease the likelihood that you will need to call on that coverage.

The challenge of meeting cyber insurance requirements

The rapid rise of cyber attacks is alarming. A successful breach can lead to a shutdown of company operations, loss of reputation, and significant fines, in addition to financial losses tied directly to the attack.

Cyber insurance strives to help organizations offset financial loss in the event of a cyber attack or breach. Although not a complete list, these losses typically relate to the following:

  1. System damages
  2. Business interruption
  3. Privacy, penalties, and claims
  4. Contractual breaches
  5. Data recovery
  6. Professional expertise fees.

However, to qualify for coverage (or reduce your premium), organizations must meet a growing list of requirements. Rates, retention periods, and other control measures depend on your risk profile. Even if you qualify for and purchase a policy, if you fail to maintain strong defenses, your provider might balk at covering a claim if - or when - an incident occurs.

A single click or minor misconfiguration can lead to a major breach. And if your organization fails to meet the security requirements defined by the insurance provider, your policy could be in jeopardy. Clearly, cyber insurance is not a fail-safe for every loss or for every reason.
Aside from a nearly ubiquitous demand for multifactor authentication (MFA), eligibility for coverage and payment often includes the following requirements:

  1. Backup and disaster recovery: regularly back up data and verify that it is retrievable in case of an attack.
  2. Endpoint detection and response (EDR): install antivirus solutions to protect endpoints against malware, viruses, and other attacks.
  3. Identity and access management (IAM): authorise and authenticate users and maintain least privilege policies to make access by attackers more difficult.
  4. Privileged access management (PAM): monitor privileged accounts to detect suspicious behavior and quickly identify compromised accounts.
  5. Patch management: consistently implement patches and updates.

What about Active Directory: your most important Tier 0 asset?

Identity is the new security perimeter, and for most organizations, Active Directory is at its heart. Due to AD’s extensive control and capabilities over your other digital assets (e.g., your critical applications), cybercriminals often target it as their final goal.

Cyber attacks on Active Directory aim to give attackers access to privileges that enable them to plan and execute further attacks. Protecting AD is a vital aspect of maintaining a strong security stance and mitigating risk. Unfortunately, AD, despite having much information about an entire organization, is often not the primary focus when it comes to strengthening the organization’s security posture.

Furthermore, many key applications depend on AD for login functions. For many companies, when AD stops operating, those applications become unusable, too.

In addition, environments that include both on-premises AD and Azure AD complicate identity threat detection and response. Despite their common name, these two identity solutions have very different security models.

Why an effective Active Directory security approach benefits cyber insurance

Security always needs to be a continuous process. Both preventive and corrective solutions are important - you must choose the right products to mitigate or minimise the security risks before, during, and after an attack.

EDR, MFA, and other security solutions are important but are not AD-centric and do not protect AD across this entire attack lifecycle. When an attacker gets past those measures, AD is vulnerable - unless you have AD-specific identity protection in place.

Several of the previously mentioned cyber insurance requirements are part of an effective AD security approach. These include AD-aware backups, careful adherence to least privilege principles, and the ability to quickly detect and remediate suspicious privilege escalations. We’ll explore them further to explain why:

Backups

Backups are a minimum requirement of many cyber insurance providers. The goal is to get back online quickly in the event of a ransomware or other attack. But what if your backup carries the same malicious payload that infected your environment in the first place?

If your domain controllers are already infected when backups are made, you face a lose-lose choice: Restore an infected backup and start the whole cycle over again, or lose time and data digging through backups until you find one taken before malware introduction.

Maintaining and regularly testing reliable, malware-free AD-aware backups is one of the most effective risk-mitigation steps you can take. A dedicated AD backup and recovery plan, separated from OS backup and recovery, can literally save the day when attackers lock down your systems.

Gartner recommends a dedicated AD backup and recovery solution to minimise the impacts of a cyberattack

IAM and PAM

Gartner notes that, “Organizations have spent considerable effort improving IAM capabilities, but much of it has been focused on technology to improve user authentication, which actually increases the attack surface for a foundational part of the cyber security infrastructure…. ITDR tools can help protect identity systems, detect when they are compromised and enable efficient remediation.”

Applying least privilege, role-based access control (RBAC), and monitoring of high-privilege accounts is vital to AD security. Especially in large organizations, the overwhelming amount of data generated in security logs can make it difficult to spot gaps caused by human error or configuration creep—gaps that attackers can use to escalate privileges and wreak havoc. The ability to automatically detect suspicious activity when and where it occurs, rather than depending solely on log monitoring, and roll back suspect changes can help prevent the lateral movement that attackers prefer.

Meeting cyber insurance requirements while protecting Active Directory

Even in a controlled, well-managed environment with a solid secure foundation, evolving cyber attacks are a continuous threat. Cyber insurance can help you recover financially but cannot offset reputational damage or data loss.

By taking a proactive approach to Active Directory security, you can decrease risk and increase your overall security stance - a win-win, regardless of whether you maintain cyber insurance.

The author

James Doggett is CISO at Semperis.

Semperis provides Active Directory Forest Recovery, a backup and recovery platform for Active Directory and Directory Services Protector which helps you prevent attackers from gaining access to AD by checking for security indicators of exposure or compromise - even those that bypass security logs. DSP can also automatically remediate changes made until you can review and approve them. Semperis ADFR and DSP provide strong protection for AD, strengthening your organization’s overall security stance - something cyber insurers prize. Semperis also offers a free AD security assessment tool, Purple Knight, which you can use to identify potential AD security gaps so that you can remediate them before applying for cyber insurance.


Want news and features emailed to you?

Signup to our free newsletters and never miss a story.

A website you can trust

The entire Continuity Central website is scanned daily by Sucuri to ensure that no malware exists within the site. This means that you can browse with complete confidence.

Business continuity?

Business continuity can be defined as 'the processes, procedures, decisions and activities to ensure that an organization can continue to function through an operational interruption'. Read more about the basics of business continuity here.

Get the latest news and information sent to you by email

Continuity Central provides a number of free newsletters which are distributed by email. To subscribe click here.