Vasily Merkushev - stock.adobe.c

Prioritise automated hardening over traditional cyber controls, says report

A report from strategic risk specialist Marsh McLennan advises security buyers to funnel their budgets towards automated cyber security hardening techniques, saying they have a much better chance of reducing risk in a meaningful way

Endpoint detection and response (EDR), multifactor authentication (MFA) and privileged access management (PAM) have long been the three tools most commonly required by cyber insurers when issuing policies, but a report compiled by the Cyber Risk Analytics Centre at professional services firm Marsh McLennan suggests that automated hardening techniques are more effective than traditional tools by some margin.

The report directly links the key cyber controls that insurers demand are put in place prior to issuing a policy to a reduced chance of a cyber incident, and by assessing the relative effectiveness of each, Marsh McLennan’s analysts believe organisations can better allocate their scarce resources to the most effective tools, better position their risk with insurers and ultimately improve their overall resilience.

“All of the key controls in our study are well-known best practices, commonly required by underwriters to obtain cyber insurance. However, many organisations are unsure which controls to adopt and rely on expert opinions rather than data to make decisions,” said Tom Reagan, US and Canada cyber practice leader at Marsh McLennan.

“Our research provides organisations the data they need to more effectively direct cyber security investments, which in turn helps favourably position them during the cyber insurance underwriting process. It is another step toward building not only a more resilient cyber insurance market, but also a more cyber resilient economy.”

The report data comprises Marsh McLennan’s own cyber claims dataset, and the results of a series of cyber security self-assessment questionnaires completed by its US and Canadian customers.

Based on the correlation between the two datasets, it was able to assign a “signal strength” metric to each control method – the higher the metric, the greater impact the control method has on decreasing the likelihood of an incident.

It found that organisations that used automated hardening techniques that apply baseline security configurations to system components such as servers and operating systems were six times less likely to experience a cyber incident than those that did not. Such techniques include, for example, implementing Active Directory (AD) group policies to enforce and redeploy configuration settings to systems.

Marsh McLennan said this was something of a surprise given the emphasis put on EDR, MFA and PAM, and while such tools remain important and useful, the report also revealed some insight into how they stack up in reality.

MFA, for example, only really works when in place for all critical and sensitive data, across all possible remote login accesses, and all possible admin account accesses, and even so, organisations that implement it this broadly (which not all do) are only 1.4 times less likely to experience a successful cyber attack. The report authors said this clearly showed the benefits of a defence-in-depth approach to cyber security, rather than haphazardly implementing tools in some instances but not others.

Prompt patching: a path to protection

Conversely, patching high-severity vulnerabilities – those with a high CVSS score of between seven and 8.9 – within a seven-day window was markedly more effective than expected, decreasing the probability of experiencing a cyber incident by a factor of two, and yet only 24% of organisations that responded to the questionnaires were doing this.

It said organisations that implement improved patching policies stood a good chance of not only increasing their own resilience, but in comparing favourably against others, could make themselves a much more attractive risk to cyber insurers.

Note, however, that prompt patching of vulnerabilities with severe CVSS scores of nine and up were less effective at reducing the likelihood of a successful incident – likely because threat actors are much quicker to exploit them.

The most effective controls out of the 12 studied were:

  • Hardening techniques, which reduced the likelihood of a successful cyber incident 5.58 times;
  • PAM, which reduced the likelihood 2.92 times;
  • EDR, which reduced the likelihood 2.23 times;
  • Logging and monitoring through a security operations centre (SOC) or managed services provider (MSP), which reduced the likelihood 2.19 times;
  • Patching high-severity vulnerabilities, which reduced the likelihood 2.19 times.

Some of the less impactful controls, besides MFA, included cyber security training initiatives and email filtering.

Marsh McLennan’s full report can be downloaded here.

Read more about security buying decisions

  • Too many organisations are following a reactive approach to cyber security, which WithSecure believes is stifling security teams ability to demonstrate value and align with business outcomes.
  • The majority of cyber security purchasing decisions are made without proper insight into the attackers organisations are facing, according to a Mandiant report.
  • Faced with a global recession next year, security buyers should try to direct investment towards technology that protects customer-facing and revenue-generating workloads, say analysts.

Read more on IT risk management