Return to Work with Cybersecurity

June 11, 2020 | Webinar

As companies across the country prepare for employees to return to work, they are implementing enhanced safety measures to protect employee health. But what about protecting the health of their computer networks? Companies of all sizes and sectors have had unprecedented numbers of employees working remotely, often with little advance warning or preparation, potentially exposing work-from-home devices to serious cyber threats. Will malware linger on devices that have been used on home networks for months and that are only now returning to the office? How can suspicious activity be identified and addressed before exposing the rest of the corporate network to unnecessary risk?

The Travelers Institute and the Small Business & Entrepreneurship Council hosted this free webinar, featuring insights from the Travelers Cyber Risk Team and other cybersecurity thought leaders.

Watch the Replay

View Video Transcript

(DESCRIPTION)
Text, Return to Work with Cybersecurity. June 11, 2020, Part of the Cyber: Prepare, Prevent, Mitigate, Restore, registered trademark, Series. Travelers Institute. Logos, Travelers, S.B.E. Council, Small Business Enterprise Council. Hands on a keyboard with a graphic above of a lock on a shield in front of overlapping ovals of light. A woman's picture-in-picture is in the left center of the screen.

(SPEECH)
When you join today's webinar, you selected to join either by phone call, or computer audio. If for any reason you would like to change your selection, you can do so by accessing your audio pane in your control panel. You will have the opportunity to submit text questions to today's presenters by typing your questions into the questions pane of the control panel. You may send in those questions at any time. We will collect them and address them during the Q&A session at the end of today's presentation. Please take a moment to review the disclaimer.

(DESCRIPTION)
Text, Disclaimer, This program or presentation is only a tool to assist you in managing your responsibility to maintain safe premises, practices, operations and equipment, and is not for the benefit of any other party. The program or presentation does not cover all potentially hazardous conditions or unsafe acts that may exist, and does not constitute legal advice, For decisions regarding use of the practices suggested by this program or presentation, follow the advice of your own legal counsel. Travelers disclaims all forms of warranties whatsoever, without limitation, implementation of any practices suggested by this program or presentation is at your sole discretion, and Travelers or its affiliates shall not be liable to any party for any damages whatsoever arising out of, or in connection with, the information provided or its use. The material does not amend, or otherwise affect, the provisions or coverages of any insurance policy or bond issued by Travelers, nor is it a representation that coverage does or does not exist for any particular claim or loss under any such policy or bond. Coverage depends on the facts and circumstances involved in the claim or loss, all applicable policy or bond provisions, and any applicable law. Please note that this session is being recorded by Travelers. The recorded session may be used, copied, adapted, distributed, publicly displayed and/or performed as Travelers deems appropriate. Travelers Institute. Logo, Travelers

(SPEECH)
And I'd like to now turn the presentation over to Joan Woodward; President, Travelers Institute, Executive Vice President Public Policy Travelers. Joan?

(DESCRIPTION)
Joan's photo. She is in the picture-in-picture

(SPEECH)
Thank you all for joining us today, with our Return to Work with Cybersecurity Webinar. We hope we have no technical issues with this webinar, but you never know. So first I want to say thank you to our partner, The Small Business Entrepreneurship Council, led by Karen Kerrigan, for working with us to host this important discussion. And our discussion today will feature kicking off, actually our summer webinar series at the Travelers Institute, and we hope to bring real practical advice for business owners as they reopen over the next couple of weeks and months. So stay tuned every couple of weeks, we'll be coming to you live with terrific speakers, and a really valuable insight that you can implement in your business that day.

So now for those of you who may not be familiar with the Travelers Institute, we are the public policy education and information arm of the very large Travelers Insurance Company. For more than 11 years, we've hosted educational forums like this across the US, Canada, and the UK, on issues affecting our customers, communities, agents and brokers, and of course our 30,000 employees. Issues like small business advocacy, disaster preparedness, distracted driving, and of course cybersecurity.

(DESCRIPTION)
Text, Travelers Risk Index. Cyber is now the #1 concern across all businesses. Biggest cyber-related business concerns: Security breach, Unauthorized access to financial accounts, with a graphic that represents each.

(SPEECH)
Cybersecurity education has been a very big part of our efforts, and our most recent Travelers Risk Index found that cyber risks are the number one concern among business leaders last year- the number one. This is the very first time since starting our survey where cyber risk topped our list. Cybersecurity threats are just as important today as ever. Over the past several months, we've seen unprecedented numbers of employees working remotely, with very little or no warning to prepare. Frankly, over one weekend most people decided to close their businesses due to COVID-19.

As businesses take steps now to reopen their doors, we are all excited about that. They are surrounded by uncertainty in this a new environment. They're implementing new protocols to ensure their employees' physical health, which is very important, but it's also important to think about the health of their computer systems, and networks. As we'll hear from our terrific speakers today, there is great concern among cybersecurity professionals about the potential vulnerabilities companies are facing by bringing work from home devices back to the office, because the potential for their lingering malware on these devices.

Our speakers today will help us understand the threats the companies face, and also explore the opportunities for you to mitigate your risk in these areas.

(DESCRIPTION)
Photos of the four presenters, including herself, and their positions.

(SPEECH)
So, today our speakers include Dan Dahlberg, who's the Director of Security Research at BitSight. BitSight has a very fascinating business model. They rate cyber risk of businesses and organizations, much like the S&P or Moody's rates financial risk. And a quarter of Fortune 500 companies are currently using their ratings, and it's growing every day. Dan and his team are responsible for operations and expansion of BitSight's threat intelligence capabilities and telemetry. Discovering these new sources of data describing risk about organizations, and designing and developing new components, risk vectors and features for security rating products.

Our next featured speaker will be Jared Phipps- Vice President of Worldwide Solution Engineering at SentinelOne. SentinelOne is an endpoint security platform that utilizes artificial intelligence to defend systems against cyber threats. Jared has more than 20 years of experience, in both the public and private sectors, including the US Air Force and cyber defense, and offensive cyber operations, which is different than defensive.

Ken Morrison, Director of Cyber Risk Control at Travelers, and a former FBI cybersecurity officer. In this role today, Ken provides subject matter expertise on cyber threats. Cybersecurity, and emerging cyber technology and underwriting claims, and other teams across Travelers. He previously worked for the FBI as an Information Security Officer, and a Computer Forensics Examiner. With that, in that order, I'm pleased now to hand it off to our first speaker. And I'll be back at the end of our show to talk with you more. Dan Dahlberg, please take it away.

(DESCRIPTION)
Photo of Dan Dahlberg, Speaker, Director of Security Research, BitSight.

(SPEECH)
Thank you Joan and thank you for the introduction as well. If you go to the next slide.

(DESCRIPTION)
Text, Background and Cybersecurity Trends. COVID-19 pushed many employees home in an abrupt manner, Companies varied in their preparedness. Rapid response by organizations to continue business operations, Corporate infrastructure hastily set up, Traditionally unsupported devices allowed to access corporate information. Balancing act between business operations and security controls. Phishing attacks using COVID-19 as a launching platform. The confusion of new policies lends itself an open door for phishing attacks. Misconfigurations become most common reason of breaches that involved errors

(SPEECH)
Excellent, so yeah, I'll start. So yeah, as each of us have been sort of quite familiar with, many business operations and employees were moved out of the corporate office environment and into the home, and quite an abrupt in some manner to a couple of months ago. And from this, there were companies who are better prepared for such a sudden change in working conditions, particularly those that had strong support from working at home, working from home processes across really all their functional roles.

However, the same time, there were organizations that were not quite as prepared, and really had to rapidly respond to ensure their business could continue operating. Much of these changes could have involved setting up new external facing infrastructure and configuring support for all their functional roles. At the same time, they had to consider the fact that they may need supervision and had to provision new workstations, or support new devices that they otherwise wouldn't have. And you know, much of these devices for example may not have complied with the previous company policy, that might have only restricted devices to certain specific device models, or those with specific operating system versions installed.

So this fast reaction is quite reminiscent of really, a perpetual activity that security teams perform on a continual basis, which is that really a balancing between enabling the business to be successful, while also trying to protect the customer data, the corporate data, and intellectual property, and this pandemic will certainly will have amplified this disparity in this balance, and very much will likely push more heavily on that scale to continue business operations.

So if we look back, really, at the attacks that we've just been observing during these periods last couple of months, attackers have certainly been taking advantage of the fear, and confusion around the pandemic, and government response. Actors have crafted phishing campaigns using COVID-19 information as a backbone to their platform, to solicit users to engage in their content, either installing malware on their devices, or stealing credentials. We continue to see these campaigns today, and they will evolve with the broader events of the world, much like really any attacks that we've seen in the past do.

At the same time, the confusion with corporate security policies themselves, and how individuals continue to perform their functions will lend an increased opportunity for attack as well. One predominant way users and really employees of course that companies help themselves not fall victim to phishing attacks, is really understanding what is expected of them, others and how systems and processes are supposed to work internally at that company. Thus, if an external actor requests something of them, the user might have a higher chance of identifying it as being somewhat unusual.

However, when policies and practices are rapidly changing at organizations, that mindset becomes significantly diminished, removing that backdrop, that backstop that a user might have been implicitly been relying upon. And one other data point as well is that when Verizon published their DVIR report looking back at 2019, they noticed a significant increase in the number of misconfigurations at organizational networks that contributed to breaches that were due to just errors throughout that year, and many of these were security researcher-identified issues, but just shows you the depth of what was actually in place at that time. And this statistic only really reflects 2019 itself, it doesn't take into account all the changes that have occurred throughout 2020, but if the year is already starting off high in increased misconfigurations that can compound an already changing environment that we're in right now. Next slide.

(DESCRIPTION)
Corporate Office vs. Home Office. Professionally managed vs. individually managed. Device ecosystem very different than corporate environments, Internet of Things (I.o.T.) devices not normally found on organizational networks, Consumer-grade hardware and systems lend themselves more common to misconfigurations and stale updates. Very different set of threats in the home environment. Bad actors are becoming more patient to increase their chance of success (asterisk to citation), Corporate devices are now consistently available in-home office environments. Asterisk, https colon double slash, news dot sophos dot com slash en hyphen u.s. slash 2020 slash 05 slash 27 slash netwalker hyphen ransomware hyphen tools hyphen give hyphen insight hyphen into hyphen threat hyphen actor slash

(SPEECH)
So, given these changes, one thing BitSight wanted to better understand, was how different is the security environment between the home office, and the traditional corporate network. One side of this, of course, is obviously perpetually managed with a dedicated teams, or perhaps people who have specific responsibilities for organizational assets or applications, while on the other hand, in a home environment individuals really heavily rely on the vendors of their devices to generally enforce proper security practices and policies. In fact, in many consumer devices, the user can have no control over the security settings of their device.

So, the device ecosystem between the corporate environment the home office is quite different by itself, considering that there are two different demographics serving of course, different use cases. IoT devices found in the home environment are not going to be generally observed in corporate environments and vice versa, and not only are business is procuring systems that they need to accomplish specific objectives, but they should have configuration management practices in place to support that device over its lifetime. They make device acquisition decisions, in part across a whole number of different criteria and security, normally of course, being very important role in that evaluation and in those choices. But in the home environment, most consumers are prioritizing usability, without much forethought into security or considering the fact that many consumers don't have a subject matter expertise in these areas, or really have a means to evaluate whether one vendor is better than another.

But do these differences, the threats faced by these two groups are going to be quite different, right? The sets of issues, or vulnerabilities that will affect these devices are going to be quite different, and in the end, this represents itself as a distinct attack surface, and it's going to be foreign for traditional corporate security teams if they evaluate their threat model in isolation of only their corporate assets, and corporate working environment. So, what this entails is we have more organizational devices which may or may not be prepared to access corporate information like I was mentioning earlier.

More consistently residing in these home environments. If we consider a situation like WannaCry a couple of years ago, which was famous in part for taking advantage of an exploit known as EternalBlue which was announced a couple months prior to WannaCry coming out. We can observe many cases actually, where organizations that were compromised were not compromised because an attacker was able to remotely use this exploit on their external network, and break into the organization. In fact, the actor oftentimes relied on traditional methods for infiltration, phishing attacks, and various other things. And once a device was compromised, the malware was actually able to then to take advantage of that exploit and spread rapidly throughout the organization. And examples, like these cases, where organizations put heavy emphasis on the perimeter, but don't necessarily put a lot of emphasis on supporting, properly supporting the workstations internally.

Now however, many of these workstations are in individual homes. They're no longer residing in this corporate environment, and outside the very perimeter that these organizations were over-relying on. At the same time, if recent ransomware attacks are good indicators for reference, then it shows that any actors are now also being more patient in understanding their victim's networks and topology and configuration. Basically, which systems are the most attractive before initiating say ransomware attacks to ensure that they can encrypt and lock out an organization's most important assets first. So, this patients may extrapolate into the home by now searching for the devices that can be linked, indirectly connected, through SaaS applications, or directly through VPNs back into the corporate network and data. Next slide.

(DESCRIPTION)
A bar graph titled Ratio of Observed Exposed Services. Key, in blue, Work from Home Remote Office IP Addresses. In red, Corporate IP addresses. On the x-axis, categories of IP addresses. On the y-axis, Ratio of Total Addresses per Category. Blue lines start high on the left then sharply drop off to the right. Red lines start about halfway up the y-axis at the third category, raise on the next one, then are low on the rest with a couple of short spikes. Text, Attack surface is quite different between the home and corporate environment. 15% of home offices have exposed modem control interfaces, while 72% have exposed administrative interfaces for their routers. Citation, From the BitSight "Identifying Unique Risks of Work from Home Remote Office Networks" Whitepaper. https colon double slash info dot bitsight dot com. identifying hyphen unique hyphen risks hyphen of hyphen work hyphen from hyphen home hyphen remote hyphen office hyphen networks

(SPEECH)
So what BitSight was interested in were basically the observable differences in the security posture between the two environments, corporate and home, and understand what those differences were from the visibility that we have. So, the first of the two artifacts we want to assess was that of the network perimeter I was discussing earlier. So, organizations have a number of systems in place to offer services to their customers, or other business partners, and/or other systems to serve business operations. For example, it's quite normal for a company to, of course, have a website, and try to have one, maybe for consumers, and another set for its business partners and applications, and just to facilitate operations.

At the same time, it's also normal for a company to sell post email, or they could be using a third party, but on the other hand, in the home environment, you don't expect a lot of users, individual consumers to be hosting their own website, to be hosting their own email, they're going to rely on third parties like Gmail, or Facebook to accomplish the same sort of objectives from that. So, there were actually a number of findings in this analysis, but I wanted to point to two specific ones in that, I saw many home devices have a service running on two different ports, which represent those really tall blue bars on the left hand side, that were rarely seen in corporate environments. You can barely see any red there. And these actually are two services that relate to cable modem control interfaces, basically, means to allow some service providers to control the modems and update the firmware. And unfortunately, implementations of this protocol have been known to suffer vulnerabilities that could allow an attacker to compromise the device or reveal sensitive data.

A second finding that we found surprising is that, despite sort of our intuition or expectations that many home users would of course not have a website at home, many home IP addresses were, in fact, serving web content. How are the majority of these websites actually turned out to be home router interfaces, yet this is really another service that an attacker could target, specifically because the default credentials are not often changed by consumers, or some not even having credentials at all. And it was actually these types of services that the Mirai malware targeted. Next slide.

(DESCRIPTION)
Text, Home networks are 3.5 times more likely to have at least one malware family than corporate networks, and 7.5 times more likely to have at least five different malware families. As the size of the organization increases, so does the complexity of managing infrastructure, processes, and human practices within the physical and digital boundary of the corporate network. A scatter plot graph titled WFH-R.O. IP Address Count vs. Malware Family Count. Key, Black dots, Work from Home Remote Office Networks. Blue dots, Corporate Networks. On the x-axis, Count of Work from Home Remote Office IP Addresses, in a logarithmic scale. On the y-axis, Count of Distinct Malware Families. The black dots spread and rise to the right. The blue dots remain at the bottom and spread a small amount towards the right. Citation. Figures from the BitSight "Identifying Unique Risks of Work from Home Remote Office Networks" Whitepaper. Website same as previous.

(SPEECH)
So the second artifact we actually also wanted to assess, was beyond the network premiere, but on the malware side. So, which was basically what malware families were more popular at home versus the corporate environment. And what we noticed, was that the number of distinct malware families grows quite faster with the collection of home offices, versus the corporate networks. You can kind of see that these black dots kind of scatter off quite quickly as the size of the organization grows on an x-axis. Intuitively this does make sense, considering that for every workstation. At a corporate office, once you bring that workstation home, it's going to be exposed to more devices. It's going to be interacting with quite more devices, maybe another one, maybe 10, 20 depending on that home environment. So you kind of have that multiplier effect at the same time.

And what we really kind of ended up observing from that, is home networks were about three and a half times more likely to have at least one malware family, compared to corporate networks. And if you look at even larger families, or more malware families, it's seven and a half times more likely to have at least five different malware families on the corporate side. And, so, as the number of home offices also sort of that are indirectly connected to the corporate office scales, the number of corporate networks infected with malware increases. Which really, is kind of a function of the complexity of managing that infrastructure, the processes, the human practices within the physical and digital boundary of the corporate network. Next slide.

(DESCRIPTION)
Text, Mirai is observed at least 20 times more frequently on the home network than corporate networks. Q Snatch is observed almost 30 times more frequently. Necurs and Trickbot are observed about 14 and 4 times more frequently respectively. A scatter plot titled Number of Aggregated Networks per Malware Family during March 2020. On the x-axis, Count of Corporate Networks, on a logarithmic scale. On the y-axis, Count of Work from Home Remote Office Networks. A diagonal line goes from point 0 0 to the upper right corner. Gray circles spread above the line, with some in colors, labeled Haddad, CrossRider, Allinone, Root S T V, MobiDash, Arrkii S D K, Gamarue, Q Snatch, Mirai, Necurs and Trickbot. Citation same as previous

(SPEECH)
So, in another point of view, we wanted to understand which malware families also had a tendency to attack the home network more frequently, than say the corporate network, or really had a strong preference for one or the other. So, what this chart here is showing is the number of corporate networks a malware family was observed on the x-axis. And basically, the y-axis shows the number of corporate associated home offices. And what we did find, was that there were malware families that actually had a strong preference to one side or the other. So, for example Mirai again, is observed at least 20 times more frequently on home networks than corporate networks, which makes sense considering that Mirai often attacks IoT devices, which are more common at home, those of which are also not really used in that corporate environment.

Two, Snatch is another good example, because attacks QNAP devices, which again, is in a very similar situation. On the other hand, families like TrickBot, which more heavily lean towards targeting corporate networks, although they're still frequently observed on home networks too. So, given that there's disparity in malware families that we found between these two network types, there's going to be malware that is going to be seen in the home, that is going to be rare in that office or corporate environment. And perhaps, it's going to be less likely that the corporate security teams would be unfamiliar with them. Next slide.

(DESCRIPTION)
Text, Best Practices and Policies. Returning to Work may often now mean supporting multiple use-case demographics, There's going to be a perpetual mix of persistent home activity and corporate activity for every business. Attacks will continue to take advantage of the fluidity of corporate security policies, The confusion surrounding new changes leaves an open door for phishing attacks. More fluidity in devices with access to corporate information, Few companies will retroactively purge devices that were not previously permitted to access sensitive data. Zero trust security model, Organizations with a castle and moat will suffer in today's environment.

(SPEECH)
So, when we go through the process of returning to work, and there's going to be means that organizations are going have to--it's going to mean that organizations that have to support multiple use-case demographics, meaning right now, we have a mix of employees working from home. Nearly everybody is working from home, but once we start returning to work, there's going to be a perpetual mix between those working from the office, and those working from home. It's going to be more common across many organizations, maybe even more common than before the pandemic started.

So, much like the forcing employees home was an unavoidable situation, support for these multiple use-cases largely is going to be also unavoidable. So this is going to require companies to really rethink their prior policies, and formalize, and adopt those that allow this environment to be successful. And while this happens, attacks will continue to take advantage of the very changes in the corporate security policies. Attackers know that companies are having to rethink how users access information, and use that opportunity to initiate campaigns that near, say education material directed towards employees.

And also, the validity of the devices with access to corporate information will be maintained, or perhaps even increase. I spoke earlier about how companies had to rapidly adopt changes in their security model, by allowing previously say, unacceptable devices to access corporate information. These devices are largely going to continue to access and hold that data in the months to come, and companies might have to really rethink how they shift the tools to protect their data on those devices.

So, these changes really largely boil down to how a company ultimately thinks about their threat model, and how they build their security model to protect their own data and assets. So, a security model that lends itself the most success when operating in this sort of environment, is the zero trust security model, which focuses policy evaluation for data and application access, specifically on the device that is making the request. The device's state, what's happening on the device, what is this configuration and security controls, and the associated user to that request.

And this is quite different than a traditional castle and moat security model, or environment where, in the zero-trust security model, there's not a notion of an implicit trust. If you're in a castle and moat, if you're behind the firewall, you've sort of have an implicit trust because you're inside the corporate network, but in the zero-trust model you don't have that. So, in order to be successful with a zero-trust security model, a company really has to invest in ensuring it has broad, and really strong support for those and the endpoint protection technologies to manage all the devices. That need to interact with that corporate environment. And yeah, with that, I will pass it off to Jared.

(DESCRIPTION)
Photo of Jared Phipps, Speaker, VP, Worldwide Solution, Engineering, SentinelOne

(SPEECH)
Dan, appreciate that. I'm Jared Phipps with SentinelOne. Next slide, please.

(DESCRIPTION)
Text, Question: Will malware linger on devices that have been used on home networks for months and are only now returning to the office?

(SPEECH)
So, really what I wanted to talk about today is one of the questions that went on in the webinar, and that question was, will malware linger on devices that have been used at home networks, and that are now coming back to the office? And, well I think the answer to that from based on what you've seen from Dan, and what I can tell you from the industry is while there are no absolute certainties in this space, the risk is absolutely higher. We know that there's more malware that exists on home networks, and we know that corporate machines that have been there have been exposed to that. So obviously, one of the first questions that we often get as a secondary follow on to this, is I have AV installed on those computers, so do I still need to be concerned? And unfortunately, the answer in many cases is yes, you do.

If we look at the next slide, I'm going to be showing you a bit of data research from Arete Advisors. This is an incident response firm, who responds to cyber insurance claims based on ransomware investigations, and things of this nature.

(DESCRIPTION)
Average Number Of Days "Dwell Time" Prior to Ransomware Execution. A chart with a graph and two forms of bar chart. In red box is the text, 33.53, Average of Malware Dwell Time. Bar chart on right is Average Dwell Time (Days) by Variant with Snatch being the highest and Phobos being the lowest. Line graph and bars on the left show Dwell Time (Days) by Precursor Malware. Source: Arete Advisors Data Service Group, June 2020

(SPEECH)
What we're learning from the research that they're putting out, is a notion of dwell time. What does this mean, and why do we care about this?

The dwell time is talking about precursor malware. So, these are events, or artifacts that come onto an endpoint, before they actually execute the ransomware malware. And this is really important, because the preceding malware is specifically designed to avoid detection by AV products, and in and of itself, is typically not malicious. It's not it's not performing any malicious functions, and it's not doing anything damaging to the machine. On average, across all of the different ransomware families we see, there's one month, or 33 days of dwell time. If you look across the different malware variants, and the ransomware variants however, we can see that these types of precursor artifacts can sit on machines for three months or longer before a threat actor decides to take any advantage of that. Next slide, please.

(DESCRIPTION)
Text, AV Is An Old Solution To A Modern Problem. On the left, Legacy Anti Virus Is Identity Based. 1) Create signatures to address known, identified threats. 2) Push signatures to machines. 3) Scan machines for known threats. 4) Disinfect and Alert. On the right. Modern Attacks are Dynamic. 1) Current methods created specifically to avoid AV detection. 2) Every attack is now unique. 3) Attacks are multi-staged with small scripts used to establish beacons as opposed to full malware files. 4) Attackers can wait until conditions appear optimal before executing the full attack.

(SPEECH)
So, this leads to one of the major points I would like to make. Traditional AV was built a very, very long time ago, and it's an old solution to a modern problem. Specifically, what I'm claiming is that the current attack methods that are being done by crime groups are done with a full understanding, and the full expectation that the machines they will be attacking have AV installed on them. So, the way AV works, the traditional AV works, is it would create a signature, it's like a thumbprint to identify an attacker. And then, it would push those signatures out to endpoints, and endpoints would scan that machine looking for the attacker. And if it found one, it would disinfect and potentially generate an alert.

But what attackers have shifted to, is a concept that we call fileless attacks. While there are still technically artifacts, and file artifacts go back and forth, typically what they're doing is they're creating a connection to a machine, and with that connection you can reboot the machine, you can move between your home network, and in a hotel for example. It doesn't really matter. Every time the machine comes online, it'll establish that beacon out, it'll reconnect to the attacker. When they are ready, they will push the ransomware, they'll push the attack package across that connection, and attack that machine.

So, we see attacks have moved into multi-staged events. The other key piece is every single piece of malware they're pushing across, is going to be obfuscated. It's going to be giving a unique thumbprint. Even though it's the same category, the same classification, they're specifically focusing on avoiding AV detections. If we look at the next slide, what you'll see here, are some really easy methods that are known throughout the industry to bypass AV.

(DESCRIPTION)
Three overlapping articles with the titles, Can Tricky T x Hollower Malware Evade Your AV? How WindTail and Other Malware Bypass macOS Gatekeeper Settings. 5 Common Cyber Security Threats That Bypass Legacy AV

(SPEECH)
And this happens not only on Windows, but on Linux, and Mac as well. If we can jump to the next slide.

(DESCRIPTION)
But I Don't Use Windows... A common myth is that if you don't use Windows you don't have to work about cyberattacks. This is not true. A circle diagram on the left that's divided similar to a pie chart. 22.98% Linux, 8.59% MacOS, 68.43% Windows. Icons above with percentages: Linux, 4.1 million, Apple, 1.5 million, Windows, 12.3 million. At the bottom, SentinelOne Labs

(SPEECH)
I think that this is one of the biggest myths that I hear, and there's a tendency to have overconfidence that, well I'm not using Windows, I'm using a Mac, or I'm not using Windows, I'm on Linux. Certainly, your exposure level is lower, but you are not immune, and if I'm looking this is based on SentinelOne lab's research, if we're looking at across the millions and millions of endpoints that we manage across the globe, this is the percentages of attempted attacks that we see based on the different operating systems. So, upwards of 9% of all the attacks that we're seeing are actually specifically going against Macs. Next slide, please.

(DESCRIPTION)
Text, Cyberattacks = $ signs (Extremely High Motivation for Innovation)

(SPEECH)
So, why all the attacks? Why all the effort? Well, at the end of the day, there's real money to be made. And if there's real money to be made, and we're talking probably upwards of billions of dollars across the cybercrime industry, then there's going to be an emphasis on strong motivation and operating as a cybercrime business. Next slide, please.

(DESCRIPTION)
AV Is An Old Solution To A Modern Problem. Two pages of text with statistics and circle diagrams. On the left for R Y U K and on the right for REvil/Sodinokibi. Text at the bottom, Ransomware will result in over 1 week business downtime. Different variants of ransomware have various levels of ransom payments, however business disruption remains constant. Source Arete Advisors Data Service Group, June 2020

(SPEECH)
So, let's look at some more research from Arete. And these really are the numbers to back up what I'm saying, that AV is an old solution to a modern problem. It does not depend on the variant of ransomware. If you're looking at the red box, and I'm looking at two different types of ransomware here, two different crime group actors, the reality is, in both cases on average, a business downtime is over a week.

(DESCRIPTION)
In the red box on the left, business downtime, 9.63 Average of Duration. In the red box on the right, Business Downtime, 8.27 Average of Duration

(SPEECH)
And when I'm talking business downtime, I'm talking inability to run through manufacturing and production.

There's actually a major company in the news right now who's had to shut down manufacturing because of ransomware. On average, that's happening over a week in every single case. Now, the second piece to look at that is the actual payments of the ransom itself. So, for when I talk to business owners, when I talk to security teams who have not yet gone through a ransomware engagement, and I say yeah because most will at some point in time, what they seem to be concerned about is the payment of the ransom itself. Well, I don't know how much money that would actually be, and they put all the risk in the concept of paying the ransom.

The reality is, whether or not the ransom is paid, does not affect the business disruption, and the interruption of the business operations. And what you can see here, is RYUK for example, only 35% of the time do you actually have to pay that ransom, you're still going to be down for nine days which is contrasted. Sodinokibi, which is taking you down for eight days, actually fewer days, even though it's got a far higher ransom payment required. Next slide, please.

(DESCRIPTION)
The front side of a car with a box over the wheel which says, Modern technology uses Artificial Intelligence to monitor behavior in real time and reduce risks. Text to the right, Forward collision warning, arrow down, 27% Front-to-rear crashes, down 20% Front-to-rear crashes with injuries, down 9% Claim rates for damage to other vehicles, down 16% Claim rates for injuries to people in other vehicles. Forward collision warning plus autobrake. down 50% Front-to-rear crashes, down 56% Front-to-rear crashes with injuries, down 13% Claim rates for damage to other vehicles, down 23% Claim rates for injuries to people in other vehicles. Citation, Insurance Institute for Highway Safety, Highway Loss Data Institute, June 2019. website

(SPEECH)
So, how do we address this? How do we look at this? Well, there's a new category of products in the marketplace that are endpoint security platforms. They're not AV driven, and its new innovative products coming from a large number of vendors in the space. What I'm going to focus on, is the use of AI, and how we can drive autonomous, real time responses and actions, and so I'd like to give you an analogy. If you're going to go buy a car today, chances are you're probably going to look for some of the key safety features those vehicles offer.

And this is data from the Insurance Institute for Highway and Safety, and the Highway Loss Data Institute that they put out last year. And what was interesting about this, is we saw the forward collision and warning systems, which are autonomous, which are sensor driven, reduce front-to-rear crashes, 27%. But when you combine that with auto-braking, where there's a decision by the autonomy sensor to go ahead and start to put a preventive measure in place, the effectiveness drops even more, so now you're down to 50% of crashes reduced, and across the board those numbers are dramatically better. Next slide, please.

(DESCRIPTION)
Modern Endpoint Protection Solutions Replace AV and Stop Advanced Attacks Using Artificial Intelligence and Computer Behavioral Monitoring

(SPEECH)
So modern endpoint protection solutions that replace AV, they're going to use artificial intelligence, and behavioral monitoring to autonomously apply reactions. So, this is essentially the same analogy of that vehicle. Even though there's no signature for the ransomware, the behavior of the ransomware, the behavior itself will be triggered, the behavior itself will stop the attack. Next slide, please.

(DESCRIPTION)
Ransomware In Particular... A bar chart titled, Impacts of AI and Behavioral Prevention Against Ransomware. Numbers up the y-axis in increments of 500. Three pairs of 3D bars, The left bar in blue and the right bar in gray. Blue represents log size (KB). Gray represents number events in CSV log. The first pair: AV Bypass 171 seconds. The blue bar goes up to 500, the gray bar goes above 4,500. The second pair: AV only -- sub 5 seconds. The blue bar is almost flat and the gray bar is about four times as tall. The third pair: AI plus behavior -- sub 2 seconds. The blue bar is flat and the gray bar is almost flat.

(SPEECH)
So, I've got some sample data here from Sentinel Labs, and what we've done in the first particular case, is we're taking RYUK ransomware, and we just allowed it to execute in a machine with traditional AV. It took 171 seconds for that machine to be compromised. And you can see that there is almost 5,000 files affected by that. In the second case, using AI only, no behavioral monitoring, a system that is AI driven only was able to stop the attack in under 5 seconds, and the number of compromised files is minimal. But when you combine artificial intelligence with a runtime behavioral attack, then you're literally blocking an attack in under two seconds, with a minimal number of files, and those files can be restored. So, there's literally zero impact from a ransomware event. Next slide, please.

(DESCRIPTION)
Text, What To Look For In Endpoint Protection Platforms. 1) Use of AI and Behavior methods in prevention. 2) Capability to protect when endpoint is not connected to a network. 3) Data retention (E.D.R. capabilities). 4) Recovery options. 5) Ability to secure remote and onsite systems with equal effectiveness

(SPEECH)
So, if you're wondering what you need to do, or what you need to be looking for, as you consider coming back from COVID, and how do you secure your environment, and prevent yourself from getting targeted in some form or fashion by a ransomware event? Number one, let's look at the use cases of AI and behavior, find out if the vendor that you're looking at will have that capability. Verify that the behavior capabilities will be effective if the endpoint is not connected to the network.

I've been involved in many ransomware incidents where the machine is in an airplane, or it's not connected to the network, and the initial trigger happens then, and then it fully executes later on. Number 3 is, is the product EDR capable? This is like having a flight data recorder for your endpoint, so you have investigations and better restoration capabilities, and that really drives into point number four. When it comes to recovery, expect full recovery. There's vendors on the market that do offer full recovery, and that's what you should be looking for.

And finally, you want to be able to secure remote, and on-site system with equal effectiveness. So, all of your recovery options should be available, whether the worker is at home, at a hotel traveling, or they're in the office. And so with that, I'd like to pass it over to Ken Morrison.

(DESCRIPTION)
Photo of Ken Morrison, Speaker, Director, Cyber Risk Control, Travelers

(SPEECH)
Oh, thank you very much Jared. So as we've seen from Dan's and Jared's talks, the cyber risks like ransomware can threaten your ability to operate your bottom line, your reputation, and your company's very survival. A friend of mine was on a cybersecurity team of a company that was hacked, and they spent 53 consecutive days working 12 to 15 hours each day to get things fixed. I know, I never want to go through anything like that, and I don't want you to go through anything like that either, so, although they do say it builds character.

But the question is, with limited resources, how can you effectively, and efficiently manage risk, and keep your company safe and secure? Well first you have to identify what you're trying to protect. What do you have that will make an adversary rich if they stole it, or held it for ransom, or ruin you if it was divulged, no longer available, or if it was changed? For example, is it information you depend on, like sales data, or intellectual property? Is it information you're required to protect, like client information, credit card, or health care data, or is it a service you provide, like cloud hosting, legal, architectural, or accounting practice, or software development?

And then you can think about the threats. There are adversaries, either outside or inside, that may want to steal or destroy information, or halt your operation. There are accidents, you know mistakes, like not encrypting a database, or letting a tailgater follow you into the office. There are structural threats, like leaky roofs, or old unsupported equipment, or operating systems. And then there are environmental threats, like natural or man-made disasters, power failures, or pandemics. So you document the risks. And remember, that risk is the likelihood and the impact or consequence of something bad happening.

So when that hurricane shuts down power for a week, and somebody says, well, what are the odds? Well, you really can calculate the odds of something like that based on where you live, and you want to prioritize the risks based on the likelihood, and the impact, and then decide how to manage the risks. Slide, please.

(DESCRIPTION)
Text, Risk Response 1 01. Four boxes with graphics that represent each. First box: Accept (Ignore?).We don't think it will happen to us. It costs too much to mitigate. Second box: Avoid. Don't offer eCommerce. Move the data center from Miami to Boise. Decline a merger. Third box: Reduce/Mitigate. Patch the vulnerability. Install sprinkler system. Fourth box: Transfer. Contractually (indemnification). Buy insurance

(SPEECH)
So, risk response 101. I know this is a review for most of you probably, but you can first decide to either accept the risk, maybe you don't think it'll happen to you, which is ignoring the risk, which is not really recommended, or maybe the cost of the protection is worth more than what you're trying to protect. You can avoid the risk by say, not taking credit card payments, or moving your data center, or decline that business deal that might have been a little bit too chancy. You could reduce or mitigate the risk by patching that vulnerability, installing a sprinkler system, or implementing the EDR, or you can transfer the risk, either contractually or with insurance.

All right, so let's bring it back to remote risk, and coming back to work. Dan reminded us of the good old days, when the typical network security model was similar to a castle. If you were inside the wall or perimeter, you were safe, you were trusted, and if you're outside, well, you were not. Castle perimeters were traditionally protected by high, thick walls, and a moat, while cyber perimeters are protected by firewalls. But as we've discussed, with remote access to networks, and with cloud computing in general, there really is no perimeter. So what do you do now? Well, at the risk of showing my age, I'll quote one of my favorite TV shows from about 20 years ago- trust no one. Next slide, please.

(DESCRIPTION)
Trust No One, Verify Always: A formula made up of four circles with text in each. Who they are + What they access + Secure Computer and Connection = New Perimeter

(SPEECH)
Trust no one, verify always. What this means, is before we allow anybody to connect to our network, whether remotely, or in the office, or access any data, we have to verify that we know who they are. We have to verify where they can go, and what they can see and touch, or access, and that the way they connect their computer, and their connection is safe and secure. This is the new perimeter.

All right, so let's review some of the concerns with remote access from a company's perspective, and the biggest and most obvious is a lack of control over your employees' computers. So, Dan and Jared explained the heightened risks due to exposed home networks and computers. So, can your employees access the internet directly where they can visit any website at any time or anywhere, or do they have to go through your corporate network, through your VPN, where they come under the protection of your security controls? Are patches, anti-malware software being updated, and not just on the computer, but on the home router too? Is anybody else using the computer, and what if something bad does happen? On a road computer, can you detect it? And if you can detect it, can you do anything about it?

OK, so what are the risks? So if a computer can visit any website, say without the security of a proxy server to block access to suspicious sites, then malware can be installed, and risking ransomware infection for example. Inappropriate sites could be visited, disciplinary action, compliance issues, and if security patches in any malware are not updated, then the computer is now just that much more vulnerable to an infection. You get the picture. So what can a company do in general, and specifically with getting back to work in mind? Next slide, please

(DESCRIPTION)
Back to Work. Six horizontal bars with text in each: Ramp up training. Lock down systems. Backups, backups, backups. Check the laptop at the door. B.C./D.R./I.R. Plans. Upgrade AV to E.D.R.

(SPEECH)
You want to have a plan. I mean, we can't prevent everything, but we can be ready by having a plan. So first, you want to ramp up your training. Turn your employees into human firewalls, make sure they have an increased level of awareness and vigilance, and there are several resources you can tap into, and your cyber insurance company might be able to provide free cyber security training. So lock down your systems, ensure your IT infrastructure, and network appliances, servers, both virtual and actual have been updated with the latest versions of their software firmware, security patches, and are configured to only allow the minimally required access and services need to do the job, known as the principle of least privilege.

So for example, accounts that perform administration should be strictly controlled. They should not be a regular user account just with elevated privileges, and they should all require multi-factor authentication, or MFA to log in. Backups, backups, backups, right? Make sure they are comprehensive, not just saving data, but also critical infrastructure like domain controllers, and active directory. And remember that ransomwares go after the backups first. If you can get to your backups from your network, so can they. So make sure a copy of your backups are stored either off network, or can only be accessed with credentials other than your normal Active Directory credentials.

Check the laptop at the door, right? So, before allowing remote device devices back into your corporate network make sure that they've received the latest patches and security updates and scanned for any kind of malware. Update or create, a business continuity, disaster recovery, and incident response plan. So, remember business continuity is not a technical plan. What are the most important things that your business has to do on a day-to-day basis to survive, and how long can these functions be down before you start to feel pain? Can you operate from another location? Will you have access to office space, equipment, records, computers, et cetera?

Now disaster recovery does address the technical stuff. What are the most important things--what are the IT systems that support your most important business functions? Do you have access to information to computers, to connectivity, to your applications, and remember your backups are a key part of your DR plan.

Incident response is how you respond to active cyber-attacks against your company systems. So, you'll want a plan, or playbook for various scenarios that provide step-by-step instructions for how you identify, mitigate, and, recover from computer incidents like a ransomware attack. And these don't have to be complicated. Sometimes just writing down what you're going to do in the event of a disaster, or incident helps you think of things that you might not necessarily think of in the heat of the moment. And practice all of them a lot. Consider upgrading your traditional antivirus to an endpoint detection, and response solution, as Jared was saying. Far more greater capabilities in detecting, not just based on signatures, but actually based on behavior.

So in summary, we want to be aware. We want to understand that the risks facing your company, and you want to take appropriate steps to manage those risks. An investment in cybersecurity, or in risk management in general is kind of like a city, or a town investing in its fire department. You want to make sure that they are the best equipped, and best trained team that you can afford, and hope that you never ever have to use. So I'm done. Thank you so much for joining the webinar, we'll now open it up for questions, and please continue to submit questions through the question panel.

(DESCRIPTION)
Questions

(SPEECH)
All right, we've got a couple of questions here. Let's see, so let's see. How about this? So, I think for anybody--so, remote access will increase going forward. How will that change coverage requirements, and how will the question on the application--that's an insurance question. So that, I probably can't answer that right now. So, we're going to have to work with your underwriter, work with your partners in insurance, and decide how that is best going to be responded to. The applications probably will change, but it will take time, and it'll be a cooperative effort. All right, here's a question for Dan. So in your analysis, how can you tell the difference between a corporate computer, and a home computer?

Thank you. Yeah, that's a good question. So, part of what we, as part of that study, what we did is in order to create those collections of home offices that I was just talking about, as well as identifying the corporate networks, with BitSight, the product, what we're doing is, as John explained very early on, part of that process is understanding what IP addresses and domains corporate, and corporations and organizations use on the internet, what its responsible for. And we wanted to do this, the same thing, and take a step further to look at the home office, so basically what we had constructed, is we had already identified all the IP addresses and domain names that a company used, and we look at the devices that we frequently observed on those corporations, and then we took one step out, and looked at what other networks those devices were frequently observed on that weren't also other corporate networks.

And for every company in our analysis, we sort of extrapolated that out. So, what we ended up doing is, in our study, for every company we have their organizational map, basically the IP and domains that they use, then we have the collection of all the IP addresses that their devices were frequently in communication with, and frequently observed on, and that's basically how we then compare the two different demographics.

Excellent, thank you. OK, I have another question. It looks like this one's for Jared. If I don't have a modern endpoint detection tool, what can I do today to protect my company from computers that are coming back to work?

So, I think there's going to be some programs coming out. I know SentinelOne is going to let people use our technology at no cost for 90 days for companies returning from COVID. I think there's partners in this space who are looking purely to try to help. I would look to one of those partners and take advantage of that program.

Excellent, thank you very much. OK, we've got another question about important coverages to have for cyber insurance coverage to be obtained to make sure a claim will be covered. Are there are different coverages available? Again, this is one that you're going to want to discuss with your underwriter partner to make sure that you've identified what your risks are. We just discussed risks, what's important to you, what are the items that you have, what are the things that you have that will cause the most pain if something is wrong with it, and appropriately cover that with whatever protections you have, including transferring the risk with insurance.

OK, let's see. We have a question. I was not provided a company laptop, and I'm using my own laptop. Is there a bigger risk in doing this? Is it safer with a company issued laptop? And let's start with Dan and move to Jared if he has further points on that.

Yeah, you know that's another great question. There most certainly is increased risks. One thing that you have to be very mindful of, of course, is that in a corporate environment with the normal security teams that these organizations have, they have policies, they have practices, and they have ways of managing the system pushing updates, ensuring that the applications that you may be using to access sensitive data, or just do normal business operations are updated regularly, that the controls and configuration of those applications are correct. And when personal devices are introduced, you add a lot more sort of variability into this mix, and maybe the security teams of these companies may not actually have the ability to do that sort of management of devices, and the device may not actually have the protections that the company might expect.

So, in some cases, there could be increased risk. It all depends on how much the company has sort of prepared themselves, and their employees for introducing these devices into that corporate environment in that sense. So, there's a lot of variables at play, but if you take in a very foreign sort of device, that the corporation was not used, and immediately tried to access corporate data, there could be increased risk for the things that I explained earlier, and Jared can probably touch upon some of these as well.

Thanks Dan.

Yeah, what I would say is most of the time I see that occurring, it's when a company is using a lot of web-based applications, and they're subscribing to software service. So, they are a subscriber of various software service providers. And in that case, then in order to access that data, you would log in to multiple services. So, one, you should have multi-factor authentication, meaning you should have to enter some sort of text or pin code that comes into your phone in order to log into that application, and two, as a best practice to protect your employer, please don't save your username password in your browser cache.

So, you know, we do know that Chrome, and these various browsers will let you store those passwords, and they let you build really complex passwords. It'd be far better for you to create a very, very long password that's really easy to remember, and not store it into your browser, if possible. And if you're going to do that, then use a dedicated product that's designed for that, and has cryptographic protections on it.

Great, thank you guys. One more, so, I've installed a VPN on my home laptop that I use for work, ExpressNet, and an antivirus called Avast. Is this enough? Dan or Jarred, whoever wants to answer that one.

So, I'll talk that a little bit up front. Number one, the VPN simply allows your laptop to come into the corporate environment with a level of trust. If you're using the AV that your company is giving you, and you're using the VPN client your company is giving you, then you're complying with your company security policy. I would still recommend that your company look at AI, and behavioral driven EDR type product.

Dan, anything to add to that one?

No, I think Jared covered it well. There could be other policies and configurations beyond just Avast, and beyond just the VPN client. So, most certainly follow up with the security teams, or the IT teams at the company to understand what they believe to be--what their requirements are for a fully provisioned device, what they think is secure for what sort of application and data that's being accessed, just like Jared was mentioning. You could have a situation where most of the content that you're accessing is through a web browser, and through SaaS applications, and in a lot of those cases, you don't want the credentials for those SaaS applications to be compromised, and there's ways to help prevent that, as Jared was talking about, multi-factor authentication, or you may be actually using applications, other applications that you install. You've got to ensure that the configuration and state of those are secure too.

OK, well I think that we're reaching the end of our time, so I'll pass this back to Joan.

All right, Ken, Jared, and Dan, really, really practical advice for all of our listeners today. We had about 350 people dial in, so that was very exciting. There's no webinar fatigue going on. We were very, very interested in practical advice that you can implement today. So, thank you all to our panelists. Thank you all for 350 attendees. And the good news is, we're going to continue this series again we kicked off the summer series today with this terrific information, and then about every two weeks, we're going to come back to you, and offer you new content.

So we're going to be speaking about your path to reopening your business in the next few weeks, we're going to talk about geopolitical issues, the economic outlook, we're going to have some speakers on mental health issues for employees who are returning to the office, and ones that are choosing not to return to the office. So, really a mix of content for business, for your employee base, whether you're an agent, or broker or your small business middle market, a lot of the stuff will be applicable to you, and we're just thrilled to--

So, look in your email. We'll be sending emails. You can go on the Travelers Institute website, TravelersInstitute.org, and you can email me directly, so JoanWoodward@Travelers, and again, thank you to our panelists, and for attendees. We hope everyone is safe at home with their families and have a wonderful weekend.

(DESCRIPTION)
Thank you! Visit us at www dot travelers institute dot org

Joan Woodward full screen. She smiles.

(SPEECH)
And I'd like to now turn the presentation over to Joan Woodward; President, Travelers Institute, Executive Vice President Public Policy Travelers. Joan?

(DESCRIPTION)
Joan's photo. She is in the picture-in-picture.