External scan data in cyber risk underwriting: What you need to know

External scan data in cyber risk underwriting: What you need to know

Underwriting cyber risk with a modeling solution comes with an immense amount of data, so it’s challenging to know whether the information you have is enough to make profitable decisions.

The secret to making confident risk choices is having the right mix of data categories from a wide array of reliable sources. When it comes to the kinds of cybersecurity data you need to consider, we view these within two varieties:

- Internal data (behind the firewall data)
- External data (including network scans)

However, neither type of data can be used in isolation. Your cyber modeling solution should combine both internal and external data in order for you to make appropriate cyber underwriting decisions.

In this blog, we’ll go through the value of external data, how to make the most of it, and then look at how CyberCube uses external scan data within our cyber analytics tools to help (re)insurers make informed risk decisions.

The value of external scan data

In order to make informed risk choices, observations of a company’s public facing Internet infrastructure are vital. The information derived from these observations can yield insights that help underwriters uncover critical risks. For example, it’s possible to determine if a company has improperly configured websites, or even if the company has web servers that have known open vulnerabilities (CVEs), and much more.

Cybersecurity hygiene

In fact, more can be gleaned from effective external scanning. The cyber risk signals that can be created from external scan data are often used as indicators of a company’s cyber security hygiene.

Perhaps the most familiar external scan data for underwriters today shows if a company has Open Ports. Companies that don’t close unnecessary ports have poor hygiene, and an Open Ports signal can help underwriters determine if a company is at risk of having those ports abused in attacks.

When choosing a cyber risk quantification solution, you must ensure that it can accurately measure an organization’s level of cybersecurity maturity. However, external scan data alone is not enough, because it only provides a partial view of an organization’s cybersecurity. (Re)insurers can benefit the most from a solution that not only provides the external data you need, but also augments it with alternative sources so you can gain a comprehensive view of risk.

How to make the most of external scan data

So why isn’t external data enough to make informed risk choices?

Getting a better perspective on the risk

It’s important to remember that external network vulnerability scans only produce a single snapshot in time of a company’s network. Underwriters may falsely conclude that no risks exist on the network, when in reality there were risks present either before or after the scan was conducted. Gaining a longer view is essential.

As the world’s leading cyber analytics provider, CyberCube has a deep knowledge of the industry and the data needed to effectively underwrite cyber risk. The right cyber modeling solution will approach data sourcing from third parties and analysis in a way that ensures you have the proper perspective when trying to understand a company’s risk.

Accuracy vs. speed

Network scans often tout the ability to provide “real time” data. However, past experience with these data sets has led us to believe that they are prone to delivering false positives. For example, some scans will not measure the correct network (or IP addresses) and will still deliver that data to an underwriter solely for the sake of speed. This tradeoff between speed and accuracy is not acceptable. Underwriters that get bad data will undoubtedly make bad choices.

CyberCube prioritizes the accuracy of the data in all of our products over delivery speed. We believe that our customers benefit more from our analytics team (and our algorithms) taking the time to clean, corroborate, deduplicate, and attempt to verify the information we deliver. Nevertheless, we are making consistent improvements to deliver more accurate data faster.

Accounting for an attacker’s playbook

Perhaps the most limiting factor of external network scans is that they do not fully account for the attacker’s playbook. Today, attackers leverage social engineering attacks such as phishing and password theft to gain access to a network. Many external scans will fail to fully pick up a company’s susceptibility to phishing, and do not alert underwriters to exposed passwords.

A mix of CyberCube’s external scan derived cyber risk data and internally derived data offer the ability to observe up to five different signals that indicate this susceptibility, including whether or not a company has login credentials exposed or for sale on the Dark Web.

Attackers also abuse trusted relationships once inside a network to move laterally toward their objective. Network scans will not tell if a company is overly susceptible to this kind of lateral movement. CyberCube’s internally derived Symantec telemetry data can show the extent to which a company’s microsegment has “hacking tools'' installed on its network, which are often legitimate admin tools that have been repurposed to move laterally in an attack. Understanding where these tools are concentrated can help underwriters account for the risk of these types of attacker activities.

Understanding threat context is critical

Even companies with perfect network scans can still get breached. For example, if that company is operating in a heavily targeted industry, or has inherent cyber exposure, network scans can fail to provide all of the necessary information about threats a company is facing. That’s why underwriters need to know the threat context and inherent exposure of a company to truly assess the cyber risks at hand.

CyberCube’s internal Symantec telemetry data can help determine if a company is operating in a microsegment that experiences a relatively high number of malware attacks compared to peers. Companies in highly targeted microsegments are high risk even with good security.

While we recognize that external scan data is a critical element to understanding cyber risk, understanding the limitations of it and knowing how to make the most of the data is key to making better underwriting decisions. A lot of this comes down to whether you’re using the right modeling tool that provides a comprehensive, long-term view of data to make the assessments necessary.

How CyberCube utilizes external scan data

CyberCube tracks nearly forty different company specific cyber security signals today. Many (but not all) of these signals are derived from our data partners that conduct external scans. However, given the limitations of external scan data alone, CyberCube has built a unique approach to augment this data with additional sources, which our clients benefit from.

Security and Exposure Risk scores

CyberCube’s single-risk underwriting solution, Account Manager, pulls externally derived scan data and internally derived Symantec security telemetry data, which is utilized to create the CyberCube Security and Exposure Risk Scores. These scores are also considered in our portfolio management solution, Portfolio Manager.

For example, we consider Security and Exposure Risk scores in Portfolio Manager to calculate the likelihood of an individual single point of failure technology suffering from a cyber event.

The Security Score is also used as a secondary modifier of cost component loss estimates. Scores are used to create five tiers of modifiers, with the highest having a downscaling factor establishing the connection that more secure companies are more resilient to the overall impacts from events and vice versa.

While we consider wider use of these data signals within Portfolio Manager, CyberCube’s position is to only do so where there is significant reason, where it can be easily defended and where its impacts can be seen transparently by users.

Maximize how you use external data

While the amount of data underwriters can access can be overwhelming, it’s all about identifying the data you need and making the most of it. When external scan data is paired with internal data and parsed by cyber analytics experts who understand the unique needs of the insurance industry, the combination can level up your cyber underwriting capabilities — leading you to long-term profitability.

At CyberCube, we pride ourselves on our effective approach to data, which ensures you gain a reliable and forward-looking view of risk. Our multi-disciplinary team of cyber analytics experts demonstrate that it is possible to gain the insights you need when the data is sourced and analyzed correctly.

If you’d like to learn more about how you can use CyberCube’s cybersecurity data to make more confident and profitable underwriting decisions, get in touch today — contact us.

Download Resource