Cyber lock concept

Spotlight Podcast: QOMPLX CISO Andy Jaquith on COVID, Ransomware and Resilience

In this Spotlight podcast* we’re joined by Andrew Jaquith, the CISO at QOMPLX to talk about how the COVID pandemic is highlighting longstanding problems with cyber risk management and cyber resilience. We also talk about how better instrumenting of information security can help companies get a grip on fast-evolving cyber risks like human-directed ransomware campaigns.
Full Transcript

There has been much speculation about what the long term impact of the COVID 19 pandemic will be on the private sector. Already, business leaders and investors are betting that the forced, mass experiment in remote work will produce long term changes in how companies manage their workforce.

Andy Jaquith is the Chief Information Security Officer at QOMPLX Inc.

But one byproduct of the shift to remote work is already clear: a marked increase in cyber attacks on corporate environments that take advantage of employees’ anxiety about the virus and lax home office security.

Episode 151: Ransoming the City with Cesar Cerrudo of IOActive

Ransomware’s Dangerous Rise

Among the most scary of those attacks are so called human-directed ransomware attacks, which have sidelined sophisticated organizations ranging from the fin-tech startup Finastra to DMI, a cyber security contractor that counts the US space agency NASA as a customer. 

Episode 107: What’s Hot at Black Hat & does DHS need its new Risk Management Center?

What’s to be done? Our guest In this spotlight edition of the podcast, Andy Jaquith, says that COVID is exposing some rifts in corporate cyber security.

New Tech Meets Old Tools

While the ways in which organizations deploy and use technology has changed dramatically in the last two decades, the ways that they measure and account for cyber risk have not. 

Andy is an amazing resource on all matters cyber security. A former Managing Director at both JP Morgan Chase and Goldman Sachs, he was also the Chief Technology Officer at the firm Silver Sky, a cloud-based MSSP.

Episode 185: Attacking COVID, Protecting Privacy

In this conversation, Andy and I talk about how COVID is highlighting larger issues around cyber resilience. We also talk about Andy’s new company, QOMPLX, which is working to improve ways to instrument cyber security with an eye to improve both cyber defense and risk management. 

To start off, I asked Andy about his storied tenure in the cyber security field including his work as an analyst for Forrester and his stint at the seminal cyber security firm, @stake. You can listen using the embedded player above, or by downloading the MP3 here.

Episode Transcript

PAUL: This Spotlight Edition of The Security Ledger Podcast is sponsored by QOMPLX. Your business is more complex than ever. You need tools to tame that complexity. QOMPLX‘s advanced algorithms, simulations, and machine learning tools help the world‘s most demanding firms solve the toughest challenges in cyber-security, insurance underwriting, and finance. Find out what QOMPLX can do for you at QOMPLX, that‘s Q-O-M-P-L-X, .com.


PAUL: Hello, and welcome to this Spotlight edition of The Security Ledger Podcast. I‘m Paul Roberts, Editor in Chief at The Security Ledger. In this edition of the podcastÖ

ANDY: I had a client of mine who said to me, my perimeter is now 10,000 home offices.

PAUL: There‘s been much speculation about what the long-term impact of the covid-19 pandemic will be on the private sector. Already, business leaders and investors are betting that the forced mass experiment in remote work will produce long-term changes in how companies manage their workforce. The one byproduct of the shift to remote work is already clear; a marked increase in cyber-attacks on corporate environments. Among the most scary of those attacks are so-called human-directed ransomware attacks which have sidelined sophisticated organizations ranging from the Fintech startup Finastra to DMI, a cyber-security contractor that counts a US space agency NASA as a customer.

What‘s to be done? Our guest in this Spotlight edition of the podcast, Andy Jaquith, says that covid is exposing some riffs in corporate security. While the ways in which organizations deploy and use technology has changed dramatically in the last two decades, the ways in which they measure and account for cyber-risk have not. In this conversation, Andy and I talk about how covid has highlighted larger issues around cyber-resilience. We also talk about Andy‘s new company, QOMPLX, where he is Chief Information Security Officer, and which is working to improve the ways that companies instrument cyber-security with an eye to improve both cyber-defense and risk-management.

ANDY: Hi, I‘m Andy Jaquith. I‘m the Chief Security Officer of QOMPLX and also the general manager of the Cyber BU.

PAUL: Andy, welcome to Security Ledger Podcast.

ANDY: Thanks, Paul. Thanks for having me. It‘s really nice to be with you today.

PAUL: It‘s nice to have you. Andy, I brought you on because you‘ve got a super-interesting background. I met you back in the day when you were really in the analyst community. Give us a sort of Andy Jaquith origin myth, if you will.

ANDY: Well, the origin myth I think extends way back into the deep, dark past, right, when I was a wee lad graduating college and stuff. I had a turn in the transportation business for a while. I worked for a subsidiary of FedEx and did general-purpose IT work and then — was then over at Cambridge Technology Partners in Boston. I got a tap on the shoulder by my boss who was contacted by some VCs who were starting a new company, and that company turned out to be @stake, and it was sort of the original hackers and suits marriage of folks like Mudge and Weld and Dill and all those guys from Aloft, and folks that had more of a consulting background, which I did, and other folks like Dave Goldsmith and Window Snyder and Andy Schmitt, and the list goes on and on; Alex Stamos. We had a good time justÖ

PAUL: It was the Er company of the information security industry.

ANDY: Oh, yeah. A couple of the folks I‘ve worked with subsequently; so, Matt Levine, for example, Royal Hansen, they were early consultants. Royal, of course, is now the Chief Security Officer of Google. Matty and I work together, and Royal, at Goldman for a while, so post-@stake, I was an analyst. Then even after the analyst job, I was a CTO of a managed security services provider called SilverSky which had a successful outcome and were bought by BAE Systems. After that, I wound up moving into investment banking, so I worked for Phil Venables at Goldman Sachs as the — as a managing director for analytics and risk measurement. That was a really interesting job, what we call a first line job in security, with direct oversight for things like external audit, assurance for our quarterly SOCs, and SSA-18 processes and the like. Got my hands on a lot, a lot of data. That tied pretty nicely with some work I had done earlier in the career around trying to quantify risk and security control performance, even though back in the day we weren‘t really thinking of it in those terms.

It was more of a can we measure this thing called security, right? It‘s been a fun career so far. I‘ve really enjoyed all the different places I‘ve worked because they have different problem sets. When you work in an investment bank, you‘re dealing with really big problems and companies that have a lot of resources to spend, and you have a [00:05:00] really good idea of what great really looks like. You can take those lessons and immediately apply them in other contexts. We‘re bringing some of that culture, some of that thinking into what we‘re doing here at QOMPLX as well. It‘s been a lot of fun to do and of course, it just means that when I talk to our customers and prospects, we usually have an instant affinity because I‘ve been in their seats. It‘s not normally what you can do when you‘re a — just a product weenie working at a product company. Not that there‘s anything wrong with that, but you know, it‘s a different kind of conversation.

PAUL: What do you think your time, again, at JPMorgan and working, obviously, at the apex of the technology buyer pyramid, what perspective did it give you or what did you learn kind of sitting in that seat?

ANDY: Yeah, in general, you know what a really well-evolved program looks like, and you‘re never perfect, but some of the banks are among the most-regulated entities on the planet. There‘s a lot of oversight externally and of course, you‘ve got a lot of internal layers of oversight as well. I don‘t mean layers in a bad way, but I mean more in this sense of checks and balances. You‘ve got a — most of the institutions these days follow what‘s called a Three Lines of Defense model. The front lines, the risk-taking parts of the business, the business units directly as well as the — typically, the Chief Security Officer, is the first line of defense, right? Their job is to incorporate risk management into all their processes. In the cyber-space, obviously, that‘s quite evident. Your SOC functions, for example, are all considered first line. Your active directory or IT security functions, your firewalls, your desktop security, your EDR platforms, your segmentation, all your network controls, all those typical things are considered first line.

The second line is where you start to see slightly more horizontal risk management. You tend to see compliance. For example, are we breaking any laws? Are we implementing all the obligations that the regulators — and oftentimes customers — expect us to, right? The third line, of course, is internal audit. These are all meant to reinforce each other. They‘re not perfect, of course, but it does give you a view of how much time and effort and money, frankly, is spent on having controls that are well-structured, well thought-out, that are consistently applied and that give you a good foundation to know that your risks are really being measured and managed effectively. But these things don‘t always work perfectly. It‘s a little bit like Sisyphus; you gotta roll the rock up the hill every year, every quarter. There‘s a relentless impatience to be better, right? That‘s the thing that I think is most striking about some of the institutions I‘ve been affiliated with, is there‘s a — you‘re never done. I think that desire to continuously improve is really a — is very affirming in the security space. It doesn‘t feel like drudgery or work. It always feels like there‘s a new challenge, a new frontier that you need to look at, to squint at, to get under control, to wrestle to the ground, and eventually move onto the next thing.

There‘s big, thematic things that are happening at all these institutions right now in the financial space, what‘s sometimes called cyber-fragility or cyber-resilience which is kind of the melding of business resilience and cyber, right? That‘s a thing that everybody‘s wrestling with right now. It‘s not just, do you have a BCP plan? It‘s really everything. It‘s how do you run a reliable plant that can withstand a — withstand outage or a cyber-attack and be done in a way that is consistent, that is aligned and attuned to business sensibilities? That‘s way different than, I‘ve got a BCP plan. I executed it like, last year. It may or may not be stale, right? It‘s taking a really business process-centric view. But what I would say is, you take a lot of these lessons and you try to apply them in other places that you work and with the client conversations that you have. It just gives you a different view. I love it. This field is so great. It never gets old, it never gets boring, and there‘s always a new wrinkle.

PAUL: Well, I mean, what‘s interesting is you literally wrote the book on measurable security and security metrics. It must be fifteen years ago now?

ANDY: Yeah, don‘t remind me, man. I‘ve got less hair and I‘m grayer than I used to be when I wrote it. Yeah, it was a bunch of things I would probably do differently. My wife tells me I need to write a sequel. I‘m not sure she knows what she‘s asking for there. I think the book has weathered pretty well in many respects. When I wrote it, it didn‘t anticipate a couple of things. The first is that we‘d have such a strong emphasis on control-driven compliance, [00:10:00] right? Think about what‘s happened in the last fifteen years; you‘ve got stuff like the CIS Top 20, the NIST cyber-security framework, NIST 863, 853, NIST — the ISO 27000 has really become a fixture. All these things, they were precursors of it, but you didn‘t see an enumeration, a specificity of the specific controls you needed, right? Whereas now, it‘s an accepted part of the assurance landscape, the SOC 2s, SSA-18s, your external audit stuff that you need to do when you‘re a large company, your representations that you make if you‘re a publicly-traded company for SOCs compliance, for example. All those boil down to having well-controlled processes, controls, really, that you can show evidence for.

The book didn‘t really anticipate controls as a thing, but many of the measurements and metrics in the book — and there‘s 200 and change of them in the book — have actually weathered pretty well. You can map them pretty cleanly to many of the things that companies are trying to do from a quantitative assurance standpoint. That‘s weathered well. The stuff that I don‘t think I foresaw and frankly, I think it‘s hard to see how anybody could have foreseen the incredible rise of Cloud services and the hollowing-out of IT. I think we saw some of this but in the last fifteen years, we‘ve seen AWS come out of nowhere from what was a really nice, clever way of helping automate their sales of books into something that was offered on the open market and has largely replaced many things, many traditional data center operations. At QOMPLX, for example, we are almost 100% virtual. I think we own one server that goes under a desk and it got moved to a colo because the desk isn‘t a great place for it. That‘s it, really. We got switchers, routers, we got the WiFi access points, we have building control systems and stuff, but in terms of real, like real compute — you don‘t own any of it.

Many companies that are born natively in the Cloud are that way. That has some important implications on how you measure. It‘s kind of an article of faith and security that you‘ve got asset management systems, right? You‘ve got to know what your assets are and you gotta manage them, and that asset immature needs to be complete. Well, in the age of dynamic immutable ephemeral, which is kind of the rallying cry for the DevOps revolution, those assets aren‘t guaranteed to be here tomorrow. That‘s a different measurement paradigm entirely than keeping a static list of assets that you are gonna scan continuously or that you are going to config manage into submission, for example. It‘s a different thing entirely and I would say the — in terms of if I look back at some of the measurement concepts there, you‘ve got to take a slightly different view on how you measure them. I‘ve started to sketch some of that out in Security Metrics, the sequel, and in some of the stuff I‘ve written publicly. What it really comes down to is you‘re anchoring yourself not against physical assets, but against a chain of custody that allows you to demonstrate that these ephemeral assets that you may have created or are seeing torn up and destroyed are coming from a known pedigree.

It‘s sort of like — it‘s like painting, right? If you look at somebody who is maybe a little more prolific like Salvador Dali who made thousands of artifacts, some of which was just pure crap to generate money, but if you know what his style was, you know what his art production style was, you almost don‘t need to have a complete inventory, all of it. You just need to know that, show enough, I have a way of demonstrating that this thing came from his mind, made its way onto canvas or a piece of photo paper, and we know that it is genuinely his; there‘s a lineage, a chain that you can draw from your designs to your AMIs to your config manifests, and then out to your control structures that show that you generated assets in a consistent way and that you can trace them all the way back to the control, to the designed engineered image that you produced originally. I think that‘s really where the future of asset management is and the future of asserting control over these things. If you could do those, you‘ve got a better control structure but that‘s very, very different than what we talked about fifteen years ago. I think everybody‘s working with this right now.

PAUL: You‘re listening to a Spotlight edition of The Security Ledger Podcast, sponsored by QOMPLX.

ANDY: It really has profound implications for the information security sector because obviously as you go out there and walk the floor at the RSA Conference or something, most of the companies there grew up, evolved, to secure those legacy environments, not the environments that a startup like QOMPLX has created for itself. I think everybody‘s grappling with this right now, even in the vendor space. I‘ll give a shout-out to our friends at Tenable for example, [00:15:00] you know, Amit and his team. We use Tenable ourselves, right? We use that for vuln scanning internally to look at our assets. There‘s a really cool feature called keyless authentication, but what that allows you to do is to dynamically scan assets that may pop up in, for example, an AWS environment.

It‘ll basically tail your Cloud trail logs to see when new machine images pop up. When they do, it updates your inventory. I think just being more savvy of these Cloud environments is the next evolution for tooling. In the Tenable case, for example, that‘s a neat capability, right? It‘s exploiting some of these native features of Cloud to make the — allow the product to evolve. Of course, Nessus, which it was based on, was around even when I got into the biz. That‘s a twenty-five-year-old product. It‘s nice to see a product like that build some new capabilities that allow it to continue to evolve and embrace some of the new dynamism we‘re seeing in the compute world. It‘s pretty cool.

PAUL: You know, it‘s really — somebody else pointed this out to me recently in the context that we‘re in right now with the covid pandemic and this huge shift in working from home, and obviously, that‘s caused a fair amount of dislocation. It‘s engendered a lot of — huge jump in cyber-threats and attacks, playing on fear and anxiety about the virus and so on, but at another level, kind of that glass half-full, you realize that if covid had come along fifteen or twenty years ago, I‘m not sure that the business community could have adapted in the way that it — in fact, it‘s almost certain that they could not have. We couldn‘t have bought and deployed the physical infrastructure to support work from home for millions of employees, you know? Companies could not have extended their applications and business critical systems out to employees in their home offices. The capability and the infrastructure didn‘t exist to do it, and now it does. It‘s a huge success story for this transition that‘s been happening slowly over the lastÖ

ANDY: It‘s amazing, isn‘t it? I knew there‘s a certain species of company that was already pretty savvy and pretty well set-up for this. Most of the institutions that I‘ve been at have kind of well-funded client compute plants. They‘re often VDI-based, so you don‘t really need a physical machine. All you need is a video terminal, really, like a terminal server-type log-in. They‘re not really missing a beat on this. Yeah, sure, you gotta make sure you get enough bandwidth from your providers and that‘s important, but they were already kind of capable of this already. I know in our case, we haven‘t missed a beat. We‘ve put some strain on some of our providers, but for video conferencing and stuff like that, I know that‘s all gone through the roof, but this is the world‘s biggest BCP test and it‘s a real — it‘s an incredible validation of the fact that we‘ve — that bandwidth is — there‘s a lot of bandwidth, a lot of services. You get some strain but for the most part, it‘s actually surprising how well it‘s worked.

PAUL: Yeah, it‘s really around the edges, you know, that they‘re encountering strain at all. Yes, there are disruptions of some activities but by-and-large, the story is one of amazing resilience and continuity for many, many companies. Obviously not all; I mean, obviously as we know, many people, the jobs they do require them to be physically present.

ANDY: There is, of course, a dark side though, Paul, right?

PAUL: That sets up the transition perfectly to the next topic of conversation which is yeah, that this wonderful, amazing technology has also extended the web of third-party and contractor and supplier relationships that companies have, and in its own way engendered all kinds of new risks that the companies are really struggling to deal with. The data point I would point to is the ransomware attack that took place and affected a key supplier of NASA, the space agency that just shot a capsule with astronauts for the first time in a decade into space to the International Space Station. Lo and behold, the astronauts are barely on the space station before the DoppelPaymer ransomware gang let the world know that a DMI, which is a managed IT and cyber-security company that counts NASA as a customer, had been a victim of their ransomware. It does raise this question; DMI is just the latest in a string of what you would assume are very sophisticated, very technologically savvy companies who find themselves a victim of these sophisticated ransomware outbreaks. I guess I‘d ask you, what‘s going on here? How can a company that‘s managed services, that manage — and cyber-security services company end up the victim of Doppelpayment ransomware? Yeah.

ANDY: [00:20:00] It‘s not a stretch to say that the covid world we‘re in where we do have everybody working from home is creating some gaps in the security posture companies that are making it easy for these kind of attacks to take place. I had a client of mine who said to me, my perimeter is now 10,000 home offices. I thought that was a great way of putting it. Just to be concrete about this, right; when I was at one of the institutions, we had a policy around blocking websites, and you rely on your web proxies to filter out known bad websites. But one of the other features we had that frankly, it created a little bit of tension sometimes with the revenue-generating business units and the firm was anything that was unclassified was blocked by default. You could speed bump it, so you could say do you really know what you‘re doing?

But what that barrier was in place partly to prevent known bad websites like Fast Flux websites that get set — that are often set up for some of the user ransomware campaigns or these command and control networks, you wouldn‘t be able to call out, and frankly, a bot that might have gotten lodged in your network because of a phishing attack, for example, wouldn‘t really be able to call out without hitting the speed bump, right? This was very much by design. Now, if you‘re in a home office, you don‘t have Blue Coat or Palo Alto in your home office. You just don‘t. You don‘t have some of those internal policy controls, right? It really places a stress on making sure that if you‘ve got an EDR client on your — on that machine, that it‘s working and running, or if you‘ve got endpoint controls that do blocking at the endpoint, that those need to be working right.

I think just because we don‘t have as good web controls in people when they‘re in a home office environment, I think that facilitates and makes easier some of these ransomware attacks. I think that‘s kind of part one to it. The second thing in general is I think it is — there‘s probably a bit of human nature here where you might perhaps be a little laxer in some of your day-to-day habits even on company-issued equipment than you might be if you‘re in a physical office. That could be things that are benign like shopping or other things that might set you up to get into a more risk — slightly more risky posture than you might be if you‘re inside a physical office with colleagues and bosses looking over your shoulder and things like that. I think those two things feed into it. What that really means is we‘ve all got to be more vigilant for some of these risks as they come over the transom, and that includes ransomware which is nasty, terrible, devastating, burn-the-house-down kind of stuff when it really gets in and gets stuck in a network.

PAUL: Yeah, I mean, I think one of the things we‘re also seeing is that not all ransomware attacks are equal, and while there are definitely certain — there are certainly opportunistic ransomware infections; you click on the attachment or a link and it infects your system and immediately spiders out on the network and creates a lot of noise and havoc, these attacks suggest that there are what Microsoft‘s referred to as these human-operated ransomware that are taking a very different attack with their victims which is much more akin to the sort of APT-style. Talk a little bit about that and what this is exposing, I guess, about the state of play out there in the enterprise space.

ANDY: This is a tough subject, right, because the — this is I think what makes things different with some of these campaigns and that‘s what they are, really; they‘re campaigns that are targeting a company, different from your — from the ones that are designed to, for example, to steal industrial secrets. The APT campaigns were really about stealing industrial secrets. The ransomware campaigns are slightly different. They‘re ransoms, right? You gotta pay up and if you don‘t pay up, your asses get fried. We saw this with Maersk, for example, where they were — this was part of the NotPetya ransomware campaign, and that‘s — that campaign bundled tools like Mimikatz into the executable bundles to extract AD credentials that would allow an attacker to gain admin access. Once you gain domain administrator access, you can pretty much spread everywhere. In that particular case, it led to the — and the quote that I recall from this was ì100% destruction of anything based on Microsoft that was attached to the network.î

Not to pick on poor Microsoft, right; this is just to say that this was the target vector and it crushed everything. [00:25:00] I think it was a — they took out like a 300 million dollar charge. What is that? That‘s three followed by eight zeroes, right? That‘s a lot of money. It basically — these are not — Maersk is — they‘re a shipping line, right? They‘re not an investment bank. It‘s not the easiest thing in the world to recover from. I think what‘s different about the attacks is that they‘re actually designed to be destructive as opposed to embarrassing which is really what a confidentiality breach is. This one is a really — is a real productivity and asset-destroying kind of campaign. I think that‘s the thing that you worry about here. In our case, what we really look out for and what we counsel our clients to pay attention to is to harden their directory infrastructure in such a way that you can really detect these precursors. I think what the common point of a lot of these campaigns is, your goal is to — it‘s like the old t-shirt ëgot root?‘ Right?

That‘s what this is. Your objective is to get the equivalent of root in your directory which is domain admin. That‘s what you want. We advise customers to instrument their directories in such a way that they can detect when somebody has elevated access and properly pressed by forging credentials or other means where we can detect that elevation, that improper elevation, and can then take action, right, which is hey, your house is about to be on fire. This is not a — some idiot e-mailing a spreadsheet to their home laptop so they can work on it on the plane. Don‘t care, right? That‘s not the issue we‘re talking about. This is a, you are about to have a five-alarm fire. It is going to burn down your infrastructure, right? That‘s what we want customers to be savvy to. That, I think, is the key, is getting your finger right on those critical choke points that allow you to know exactly when, frankly, that worst-case scenario is happening.

PAUL: I guess the problem for these sort of upstream companies whether it‘s NASA or JPMorgan or CitiBank or whomever is you, today, more than ever, are reliant on these third-party suppliers and service providers. While you may attest to the security of your own environment, it‘s very difficult to know about the security of theirs. We‘ve seen both — like, this NASA attack is one, Finastra was another one, big impacts in the financial services, kind of a clearing house that got hit by I think the Ryuk ransomware. How do you manage that tricky problem of now being in a position of not only needing to attest to the security of your own environment but also assessing your exposure to security risks that you don‘t know about within your service providers?

ANDY: This is fundamentally a hard problem. It doesn‘t really matter how big and sophisticated you are; nobody‘s ever satisfied with how well they‘re looking at third-party risk. It‘s a big deal. I think the common feature I‘ve seen in companies that do this better than others is that you integrate security and risk assessment into your purchasing criteria and that you‘re very aggressive on a monitoring basis, based on a risk-adjusted basis, right? Like, somebody who delivers you copier paper is not that interesting. Somebody that is managing your payroll, well, that‘s a lot more sensitive, right? Your level of scrutiny is gonna be much higher and if you‘ve got a payroll provider, you are doing the obligatory questionnaire, you‘re doing the external risk scanning and assessment, you‘re probably doing some benchmarking from external observables.

You‘re gonna be sending in the goon squad, right, with clipboards and their fine-grained assessments, you might be doing data center tours, as valuable as those are or aren‘t these days. But what‘s been a little bit elusive is the instrumentation. I think the area that you‘re gonna see more activity in the industry on, and certainly we‘re participants in this, is on the active instrumentation of security in some of these companies, getting more of an inside view of how they‘re performing. The analogy here is in the automotive space, right? It‘s worth something to me if I‘m an insurer and I‘m writing you a car insurance policy. I‘m gonna give you a break if I‘ve got a box inside your car that is able to actually see how you‘re doing, what kind of driver you are, right?

I think for certain kinds of companies, this is going to be a more and more attractive proposition to [00:30:00] actively instrument the inside view of how companies are doing. Our view on this is that this is gonna be more of a fixture. Not necessarily widespread, but it‘s gonna be very important in certain cases, and certainly in the risk-transfer space and insurance, we view this as something that‘s gonna be important to enable insurers to write policies that are more profitable, more accurate, and frankly, that give customers that are doing the right thing a better policy that is more commensurate with the risks they‘re taking and priced better as a result.

PAUL: You mentioned QOMPLX, the company you work for and I work with, and the work that you do both in the cyber-space and in the insurance space. I guess the question is, so what‘s the secret sauce and what has changed to allow a company like QOMPLX, a startup, to be able to effectively assess and manage these risks that didn‘t exist five years ago, let‘s say?

ANDY: It‘s probably worth noting what hasn‘t changed, right, before we talk about what has changed. I was at an insurance conference a couple months ago and I‘ve always paid attention to cyber insurance, but I‘ve never really given it a lot of credibility because it struck me as being very questionnaire-laden and not that insightful. But I asked a very naive question; I was sitting at lunch with somebody who was an underwriter. I said so, walk me through the underwriting process. How does this work? She said oh, well, when we bring on a new client, we send them a security questionnaire and we want them to fill it out. It‘s usually twenty questions or fifty questions or whatever it is. In the pre-bind phase, we‘ll do a vulnerability scan of their external perimeter. Post-bind, we‘ll do some tabletop exercises around how they‘re gonna handle certain situations, and we‘ll do regular vulnerability scans of their perimeter. I said oh, okay. Is that it? Yeah, that‘s pretty much the process.

I thought to myself and I thought well, fifteen years ago, that‘s kind of what we were doing. Fifteen years later, there‘s more regularity and definition of tabletops and phone scans and things like that, but it‘s fundamentally questionnaire, vuln scan, tabletops. To quote Jack Nicholson, what if this is as good as it gets? Well, I think our view, frankly, is that it can be better than that, right? You know, we look at instrumenting your directory, we look at providing instrumentation over some of your network telemetry and some of your security tooling from the inside. I think that‘s ultimately the value props that we think is the longer-term play here with many of the insurers. We think they can be more profitable, that their ability to cover given risk is going to be more knowledge-based and insightful based on increased telemetry and data. I think that‘s our point of view on things. As we continue to move ahead, you‘re gonna see more of a story from us about some of those capabilities.

Without letting the cat out of the bag there, I would just say that to me, that is the secret sauce; more and better accurate data about the internal workings of your security teams, your security operations, your environment, should enable insurers to make more profitable underwriting decisions as they move forward in the cyber-space. It‘s hard, right? This is a hard problem. Cyber is hard. Enterprises are different. Trying to pin this stuff down is a hard problem, but I do think we‘re gonna take — we‘re gonna see incremental steps. Some of them are gonna be baby steps, some are gonna be big steps as we try to get our arms around it. Certainly just speaking as a numbers guy and a guy who has spent a fair bit of his career looking at metrics, we have to get better at this ëcause it‘s — the days of self-assessing ourselves and feeling like we‘re actually that insightful, I think those days are gonna start to pass us by. How do you feel — on an enterprise-wide basis, how do you feel you‘re doing with vulnerability management? Oh, I feel I‘m doing great. I think that that was the question I was trying to get away from fifteen years ago, and I think we‘re still asking it. We‘re gonna do better. We have to.

PAUL: Andy Jaquith, thank you so much for coming on and speaking to us on Security Ledger about QOMPLX and ransomware and security metrics.

ANDY: Paul, it‘s always a pleasure to talk to you. Thank you for having me.

PAUL: You‘ve been listening to a Spotlight edition of The Security Ledger Podcast, sponsored by QOMPLX. Your business is more complex than ever. You need tools to tame that complexity. QOMPLX‘s advanced algorithms, simulations, and machine learning tools help the world‘s most demanding firms solve the toughest [00:35:00] challenges in cyber-security, insurance underwriting, and finance. Find out what QOMPLX can do for you at QOMPLX, that‘s Q-O-M-P-L-X, .com.

Transcription by:

(*) Disclosure: This podcast and blog post were sponsored by QOMPLX. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations.

As always,  you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SoundCloudStitcherRadio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to to get notified whenever a new podcast is posted.