Prioritise automated hardening over traditional cyber controls, says report

Endpoint detection and response (EDR), multifactor authentication (MFA) and privileged access management (PAM) have long been the three tools most commonly required by cyber insurers when issuing policies, but a report compiled by the Cyber Risk Analytics Centre at professional services firm Marsh McLennan suggests that automated hardening techniques are more effective than traditional tools by some margin.

The report directly links the key cyber controls that insurers demand are put in place prior to issuing a policy to a reduced chance of a cyber incident, and by assessing the relative effectiveness of each, Marsh McLennan’s analysts believe organisations can better allocate their scarce resources to the most effective tools, better position their risk with insurers and ultimately improve their overall resilience.

“All of the key controls in our study are well-known best practices, commonly required by underwriters to obtain cyber insurance. However, many organisations are unsure which controls to adopt and rely on expert opinions rather than data to make decisions,” said Tom Reagan, US and Canada cyber practice leader at Marsh McLennan.

“Our research provides organisations the data they need to more effectively direct cyber security investments, which in turn helps favourably position them during the cyber insurance underwriting process. It is another step toward building not only a more resilient cyber insurance market, but also a more cyber resilient economy.”

The report data comprises Marsh McLennan’s own cyber claims dataset, and the results of a series of cyber security self-assessment questionnaires completed by its US and Canadian customers.

Based on the correlation between the two datasets, it was able to assign a “signal strength” metric to each control method – the higher the metric, the greater impact the control method has on decreasing the likelihood of an incident.

It found that organisations that used automated hardening techniques that apply baseline security configurations to system components such as servers and operating systems were six times less likely to experience a cyber incident than those that did not. Such techniques include, for example, implementing Active Directory (AD) group policies to enforce and redeploy configuration settings to systems.

Marsh McLennan said this was something of a surprise given the emphasis put on EDR, MFA and PAM, and while such tools remain important and useful, the report also revealed some insight into how they stack up in reality.

MFA, for example, only really works when in place for all critical and sensitive data, across all possible remote login accesses, and all possible admin account accesses, and even so, organisations that implement it this broadly (which not all do) are only 1.4 times less likely to experience a successful cyber attack. The report authors said this clearly showed the benefits of a defence-in-depth approach to cyber security, rather than haphazardly implementing tools in some instances but not others.