Cyber Insurance Drives Security Beyond Your Cyber Policy

EP 114: Cyber Insurance Drives Security Beyond Your Cyber Policy

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode

September 13, 2022

Can small-medium-sized businesses benefit from cyber insurance even if they don’t buy a policy? How? Let’s find out with my guest Jason Rebholz, CISO at Corvus Insurance. Your host is Kip Boyle, vCISO with Cyber Risk Opportunities.


Episode Transcript

Speaker 1: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives thrive as cyber risk managers. Your hosts are Kip Boyle Virtual Chief information Security Officer at Cyber Risk Opportunities and Jake Bernstein partner at the law firm of K&L Gates, visit them at cr-map.com and klgates.com.

Kip Boyle: Everybody I'm sorry, Jake's not here. I think we're going to do well though, because we have a great guest and what are we going to do today? Well, I'll tell you. We're going to take a look at cybersecurity for companies that have less than a billion dollars of annual revenue. Now, as a group, we call them small medium businesses or SMB, and you might be surprised to find out that a company with 900 million of annual revenue, is still considered to be a small, medium business, but they actually are. And the way we're going to look at this today, is we're going to look at it through the lens of artificial intelligence driven commercial insurance, which we've not done that before with our guest, Jason. And Jason is the chief information security officer at Corvus Insurance. And Jason, welcome to the podcast. So glad you're here. And you know what I realized, is I never asked you how to say your last name. What a bad host I am. Would you please tell us how to say your last name?

Jason Rebholz: Absolutely. So, Hey everybody, I'm Jason Rebholz, I'm the chief information security officer at Corvus Insurance, a cyber insurance carrier that leverages AI and ML to identify risk.

Kip Boyle: AI and ML. Okay. So first of all, thank you for making it possible for me to not butcher your last name. It actually is said the way it's spelled, Rebholz. So that's thank you, Jason. Now I like to unpack jargon on the show for our listeners, right? So you said AI ML. what is that again?

Jason Rebholz: Yeah, so that's artificial intelligence and machine learning. It's really a fancy way to say that we use a lot of data to understand what the true risk is or predictive risk, of somebody potentially having a cyber incident in the future.

Kip Boyle: Okay. All right. And so you're an insurance carrier Corvus is, but very different, right? I think in the show prep you were saying that you guys would be considered insurance tech, right? Is that the category that you belong in?

Jason Rebholz: Yeah, that's correct. So we fall into two different categories. One is the insure tech realm, which is where we're leveraging technology to help underwrite insurance. And then we're also, what's called an MGA, managing general agent, where essentially we are helping sell the policies and then we work with other carriers or re-insurers on the back end, to be able to scale better.

Kip Boyle: Oh, okay fascinating. There's so many permutations in the insurance market is what I noticed. So I appreciate you explaining that. I'm not going to unpack it though. So if anybody's listening-

Jason Rebholz: That's a whole other show.

Kip Boyle: Yeah, if anybody's listening, they're like, no, no, we don't want to go deep on insurance. Don't worry. We're not going to do that. But I did want to at least make it clear what Jason's perspective is. What lens does he look at cybersecurity through? Because, well, first of all, Jason, you told me that you learned cybersecurity dominantly from an incident response perspective. Did I get that right?

Jason Rebholz: That's correct. Yeah. I was really born and raised in incident response. My first job straight out of college, was working for Mandiant, which is a leading incident response firm. And so from day one, I was in the thick of it, doing investigations for nation state threats, for hacktivists, did a lot with PCI fraud while working credit card breaches and then spent the last really six, seven years focused in on ransomware and business email compromise.

Kip Boyle: So you must be exhausted.

Jason Rebholz: There's a reason why I don't do instant response anymore, yep.

Kip Boyle: That is hard stuff. That's like being a firefighter and being called out of your bed in the middle of the night all the time, to slide down the pole, put on your boats and get on the truck. I mean, it's just incessant. I'm impressed that you did it for as long as you did. Congratulations and thank you, because we certainly do need people to do that. What was the final... Was there a final straw? What made you say, that's enough, Jason?

Jason Rebholz: Yeah, I reached a point where a lot of the incidents that I was responding to were the same thing. I really felt that I was playing Madlibs here where there's just a similar pattern that happens. And you reach a point where you're saying, why am I solving this problem of cyber security, one client at a time, because there's larger trends to try to tackle. And so I've left instant response twice now. I'll say that the gravitational pull of IR is very strong, but now in a position where we can really start trying to tackle security for thousands of companies versus just one at a time.

Kip Boyle: Okay. Okay. So, it turns out you were an adrenaline junkie and now you're not addicted anymore. You've cleaned up your sober and now you want to have an impact across a large swath of companies. I think that's great. I love that. That's one of the reasons why I launched my own company, is because I felt like, well, okay, maybe I could get a CSO job at another company right after I left working for insurance. Another thing you and I have in common. But ultimately I decided I wanted to work with more than one organization to try to help make a difference. And I've really been enjoying that. So I deeply understand that idea. Okay. So you come at this from an IR perspective, by the way, Jason, who gets recruited out of college to go straight into incident response? How did that happen?

Jason Rebholz: I'll tell you it was a complete fluke. I wish I could tell you that I knew what I was doing. I had no idea. I applied for a role that I wasn't qualified for. And so it was just complete luck that at that time, Mandiant was looking to start recruiting college hires. So I was one of the very first college hires they had. I showed up my first day thinking I was going to be doing penetration testing, where I would be hacking into companies to tell them their gaps. And instead they handed me a hard drive and said, here you go, tell us everything that happened on it. So it was just a series of really interesting opportunities that I took full opportunity to extract.

Kip Boyle: You know, Jason, I could unpack that for days. I mean, part of that story is amazing, because I have another podcast and another problem space that I work in, where I help people get cybersecurity jobs. And I also help hiring managers find talented people and stop getting in their own way. And so the idea that Mandiant was bringing college kits in and building their own talent pipeline, is awesome. I love that. I'm probably going to want to ask you more about that later.

Jason Rebholz: It's a trend that has to continue.

Kip Boyle: Yeah, it does. But the bait and switch part, I don't know that now I'm just like, what? That wasn't fair. And I don't want to unpack that. That's okay. We're going to let that go because you made lemonade out of lemons.

Jason Rebholz: Exactly.

Kip Boyle: And you did a wonderful job, so congratulations to you. All right. So that's how you got into cybersecurity is through incident response. I've done some incident response, honestly it's not my favorite thing to do. I really like to do the more business focused preventative types of work. That's really my specialty. That's really what I enjoy, but I deeply respect the need for incident response capabilities. So I think it's fantastic. Tell us a little bit about your role at Corvus, because again, during show prep, I was telling you, yeah, when I worked at an insurance company, I was like 90% inwardly facing and about 10% outwardly facing and you said that for you, that's flipped, right?

Jason Rebholz: Yeah. So I spend a portion of my time on internal security, making sure that all of our data, all of our policy holder data is safe and secure. Got an amazing team that helps accomplish that mission. But I do spend a lot of time helping our policyholders from an advisory standpoint, making sure that we're guiding them along the right path. So just as you were saying with some of the preventative measures, really focus in on that, and then addition to that, it's working on our technology. We want to make sure that our scans are not only predictive of trying to identify your likelihood of having a cyber security incident, but also tie in a lot of the practical security that we just know to be true, that we might not be able to get through a scan. So I spend a lot of time there helping to make sure that we're going the right way and supporting our policy holders as best as we can.

Kip Boyle: Well, this is great. What a natural segue to a topic that I really wanted to explore. So if anybody's been listening to this podcast for a while, you know that in previous episodes, we've talked about why and how cybersecurity is different for a small medium sized business than it is for a large enterprise. And that if you take large enterprise solutions and try to use them in a small medium context, it's not a good fit. It's like having a 14 year old son who needs to go to some kind of a formal event and loaning him your suit, right? It doesn't work. You can hem and cuff that thing all day long, it is not going to work. You need to go out and buy that child the suit that fits right. That was made for somebody of their size. I mean, that's just what you have to do. That's how I think of it. But how would you describe it? What's your perspective on it?

Jason Rebholz: Yeah. I actually love that analogy. The first thing I thought of is when I was a kid and my mom would buy shoe sizes that were two sizes too large with the expectation that I was going to grow into it. And unfortunately that doesn't really apply to cybersecurity, because not everybody is going to grow the same way and that's okay. Right? But the challenge specifically for SMBs in my mind, is that they face a lot of the same threats that a large company would, but they also face a lot of different threats as well. But when you look at the budgets, they're vastly vastly different. And so I think a lot of the challenges that, a lot of security perspective comes from the mindset that you have to secure these massive organizations. And when you look at that, it doesn't scale down appropriately and so you have a ton of just information overload. And so how do you filter through that?

And I think that's the biggest challenge for SMBs is they don't know what am I supposed to do first? And then what's the step after that? And so you really have to distill out all this information from this vast cybersecurity landscape. And that's where I think a lot of SMBs struggle the most.

Kip Boyle: Yeah. I would even say that large enterprises sometimes can struggle with knowing what should they do for a second or third. But the key that I really want to touch on what you said, which is all the same risks, infinite risk in fact, but much fewer resources to put against it. And so that makes prioritization even more crucial for them, because they can't just throw money at this thing and try to get their way out of it in that sense. They've got to be a lot smarter.

And by the way, another natural segue that you've made, which I'm not going to take, I am going to mention it though, is my company Cyber Risk Opportunities, that's exactly what we help people figure out, which is I've got a limited budget against infinite cyber risk. How do I get the most value for the dollars that I'm spending on risk mitigation? That is the essence of what we do, because we know this is a really super hard problem and where can people look to, right? They can follow vendors, right? They can call Microsoft or Cisco or whoever and they can say, what should I do? And a vendor can provide them with some leadership. They can read newspaper articles, trade publications and try to get, try to figure that out from that source. But I think those two sources are really biased and so it's just not always the best way to go in any event.

One thing that I think that insurance companies are doing today, that I think is really serving the entire industry and especially SMB, is they're actually starting to be very clear about the requirements. Like if you want a policy from us, this is what we need to see from you. And as somebody who's been assisting insurance brokers try to get cyber policies for their insureds, I've been seeing this a lot lately. And I think it's a good thing, because even if you don't buy cyber insurance, would you like to know what are the things that you could do that actually would decrease your risk, whether you have a policy or not. I mean, what a great service. I mean, that's how I think of it. How do you think of it?

Jason Rebholz: Yeah. I think you're spot on there. Cyber insurance sometimes gets a bad rap and I don't think it's really grounded in anything that is truthful. When you look at cyber insurance, there are very few companies that you're going to work with that have incentives aligned specifically to your business. Cyber insurance doesn't want you to have a breach because that's a loss. You don't want to have a breach, because that's also a loss for you. So it's a natural partner if you can extract the right value out of it. And so just as you were saying where cyber insurance is uniquely positioned to understand all the bad things that happen, because they exist to support you through that.
And so we sit on just troves of information about incidents, and we're able to look at that and say, what could be different here? What was the root cause of this incident? What was a mitigating factor that if they had that, would've changed the outcome? And so we can look at that and that all transposes into, what are the requirements that we have here, right?

It's very similar to car insurance, just when seatbelts were starting to emerge, they were optional in cars. And it wasn't until the insurance carrier stepped in and said, hey, we're looking at this data and the data's showing that if you're wearing a seatbelt, you are much less likely to die in a car accident. It's the same exact thing. We're just in the early innings of this game of understanding what these risks are, what the preventative measures are and now we can start getting this data to support it, to say for sure, from a data driven approach, if you have this control, we know for a fact that you are going to mitigate your risk by a factor of 2, 3, 4, 5, 6, whatever it is.

Kip Boyle: Okay. That's fantastic and particularly relevant to SMB, right? Let's take it back to the SMB perspective, because now I don't have to wonder as much what should I do. Right? Now I can actually go to this list of controls that are being released by cyber insurance carriers, not just Corvus, but other carriers are doing this as well. They don't all agree on what exactly the things are to do, but I think there's a lot of overlap. I think everybody agrees that protecting domain administrator accounts is really, really important. I think everybody agrees that MFA is really, really important, right? So, I think SMB should start looking at insurance, cyber insurance, to figure out what they should be doing. And I don't think it's the end of everything they should be doing, but I inaudible low hanging fruit, for sure. And so I think it's a fantastic turn of events.

Now, one thing that I do believe we're going to have to do is, we're going to have to keep up with it. And what I mean by that is cyber risks are not like other risks, right? Cyber's a dynamic risk, because it's always changing, static risks like fire, I mean, once we figured out what fire was all about, air, fuel and heat, we could control it. And we could figure out how to build large buildings and create large cities and not have them burn down because a cow kicks over an oil lamp. Right? So, we figured that out, but fire is immutable. It never changes. It never suddenly figures out how to burn bricks. It never suddenly figures out how to puncture the tires in the fire engines so they can't roll out and put... You know what I mean?

But cyber is dynamic, right? Because there's people behind it and these people are always trying to find ways to get around our controls. Like MFA, I think is a great example. That has been a really solid control for a long time, but now what I'm seeing is MFA being defeated by cookie stealing and all these other techniques, it's starting to become very commoditized in fact. And I think it's not going to be that far into the future, maybe two or three years, where MFA isn't going to be as protective as it was. Is that resonating with you? What are you seeing?

Jason Rebholz: Yeah, a hundred percent. I think the important thing to pull out there is that we're not dealing with something that's static. We are dealing with humans who are financially motivated to try to attack you. And so they will be creative. They will be relentless and they will not stop until they get their payday. And so you can just look across even the last six years, insurance carriers started paying attention to RDP for remote access into an environment. And suddenly we said, oh, attackers are targeting that, that's bad. We're going to start saying you shouldn't be using RDP. So you have companies that switched over to VPNs. Great. It was a good step forward for security. Now we start seeing attackers targeting vulnerabilities in these VPNs to get access into your environment that then leads to ransomware. So we're now at this other pivot point saying, all right, we're starting to see a bad trend emerging here. And we know from the data that if you're using a high risk VPN, one that is constantly being targeted by threat actors, you're 68% more likely to fall prey to a cyber incident.

Kip Boyle: 68% is inaudible accurate.

Jason Rebholz: Exactly. So now it's saying, all right, well, what's the next thing that we can try to look at, right? And so this is where things like zero trusts network access are starting to come out, where you start removing that potential vulnerability from the attacker's purview and it just condenses down the avenues of attack that these hackers can go after. And that's the evolving game. Right? You're just a constant state of trying to survive in cyber security and that's just the fact of the matter.

Kip Boyle: Right. Right. Absolutely. I tell my customers that the goal isn't perfect security, the goal is to be a harder, more difficult target to encourage the attackers to move on to an easier target. Does that sound like a reasonable thing to you?

Jason Rebholz: Yeah. I think when you're, especially in today's ecosystem with these threat actors, you don't have to be the fastest person running away from the bear, you just don't want to be the slowest. I think in tandem with that though, you do have to make sure that you're, you're putting mitigating defenses in place, right? So this is all about reduce the blast radius if an attack were to happen, because we do live in an age where if somebody wants to get access into your environment, they're going to get access into your environment. And so you have to look at these controls that you put in place so that any security control you put in place has to be a detection control as well, or capability so that you can see, stop an attack, alert on it, because that might only be the tip of the iceberg of something that's happening. It looks like we lost your audio there.

Kip Boyle: Okay. Sorry about that. Hit the wrong button. Hit the cough button and never undid it. Sorry. So I didn't cough in your ear, but then I wasn't able to talk, but I'm back. So zero trust architectures, you mentioned that. I'm glad you did, because that really gets to the heart of the matter I think, that it's inevitable that you're going to get breached. And so if you assume breach as a philosophy, then you're going to embrace the idea of zero trust networks and you're going to invest in detection and response and recovery. I like the new cybersecurity framework, because even back in 2014, it recognized that you couldn't just put all your money into prevention, because it just wasn't enough to try to prevent, the adversary was just too capable. But detection's super, super hard to do, isn't it? I mean, just from a practitioner in your space, what do you think is a reasonable way to do detection? I mean, I know there's lots of different choices, but some of it just strikes me as impractically expensive and difficult.

Jason Rebholz: Especially for SMBs. And this is just something where you want to work with the experts. If you're an SMB, you shouldn't be looking to build out a world class monitoring capability in house. It's not cost effective for you. There are much better ways that you can try to get a better return on your investment there. And so that's where it's looking out at experts in, I always recommend the MDR space, manage detection response, and really get somebody that spends their entire life being the best at that. That's who you want to work with versus trying to build these things in house.

Kip Boyle: Oh, so like Jason used to be?

Jason Rebholz: Exactly.

Kip Boyle: Yeah, well you would know, because you did that for so many years, so manage, detection, and response. Okay, great. Let's talk about cloud security for a few moments. So I got to tell you a lot of my customers and I do specialize in the mid-market, I have some large over a billion dollar customers, we have several what I would call venture backed startups and just some self funded, smaller companies. But the cloud marketing is really deceptive, because you do get a lot of security benefits by going to the cloud. No doubt about it. You save on CapEx. There's a lot of great things about the cloud, but there's other things that the marketers don't mention that you also need to do. How does that strike you? What do you think of, and how do you advise people?

Jason Rebholz: Yeah. I think cloud security is going to be the next big challenge for organizations. Just as you mentioned, startups, right? Every new startup that's out there is going cloud native, right? Unless there's some crazy reason that they need to have some on premise infrastructure.

Kip Boyle: I see it all the time.

Jason Rebholz: And so even established companies that were historically on premise only, are starting to shift to hybrid environments. And so cloud security is a core component of everything. And what typically is forgotten there is that cloud is a shared security model. So the cloud provider will take care of a portion of it, but you are on the hook for arguably some of the more important things on the proper configuration, the proper user setup. And so the big challenge here is that even for seasoned security veterans who understand how to secure an on-premise environment, it does not translate one to one to the cloud. You are learning an entirely different language. You're learning an entirely different way to think. And so there's a large education gap that has to get filled very quickly, because attackers are already starting to shift to identifying weaknesses in the cloud and starting to steal data. We just look at Capital One as the prime example of that.

Kip Boyle: Yeah. And I think Gartner published a prediction, which they've revised every year by extending how long this prediction's good for and they said something like 99% of all cloud failures is going to be the responsibility of the cloud using organization and not the cloud providing organization. And I think your referencing the Capital One is a great example of that, right? I mean, they just didn't configure the permissions correctly and yeah, there's a real lack of imagination. I have to tell my customers, if you don't get your configurations right in a LAN and things blow up you've got a pretty good contained blast radius, right? But if you make that same mistake in the cloud, you're exposed to the world and so the stakes are completely different and so much greater.

Another thing that I think that people struggle with is, it turns out everybody's now a systems administrator because everybody can share data on the cloud now. But none of those people who've never been systems administrators, were ever trained on how to configure permissions. And I think that's one of the big problems. And I think another big problem for administrators is the tools are so much more primitive with cloud providers than they ever were with on-premise. They just haven't matured enough. And by golly, they change every day. Every time I go in there to do something, the user interface has changed, is what it feels like to me. Do you see that stuff?

Jason Rebholz: A hundred percent. Yeah. I mean, it's very Silicon valley where it's just innovate, innovate, innovate. And so from the actual infrastructure, the backend itself, they're constantly making improvements there that doesn't always translate over to the users to understand what's happening there. And so every day it feels as though there's a new thing that can go wrong in cloud.

Kip Boyle: Yeah. Absolutely. Gosh, there's just so much to say. So let's go back to this idea that you Corvus, have a list of controls that you know are good and that you want to see your insureds using. With respect to cloud security, could you give us like one or two examples of what you're looking for?

Jason Rebholz: So the big thing is how are you protecting the identity? Right? And so it pertains to cloud security, it pertains to on-premise security. It really comes down to how are you securing that identity? And one of the more effective ways that we see, is ensuring that all of your accounts have MFA enabled. So anywhere that you have remote access, anywhere that you're sharing data or have access to sensitive data, especially ensuring that there is a strong form of MFA there, to try to keep pace with exactly what you called out before. Attackers are shifting tactics to try to target MFA, so we want to see a forward thinking approach to how do you secure your users and your data using MFA in a way that's going to be more phishing resistant than something like, say a text message.

Kip Boyle: Yeah. So in the cloud, what do you think about like a CASB, some kind of an SSO solution? Do you see that as being a very favorable thing to do in terms of risk reduction?

Jason Rebholz: I think SSO is going to become mandatory for, I would put it more for the mid-size companies, right? Like I wouldn't expect a mom and pop shop to know what SSO is and deploy that out. But especially as you're growing and you have more and more applications, there's something to be said of having that control over where your accounts are, what they have access to and looking for and stopping suspicious logins, because you're looking for and detecting unusual log on patterns, and you have that MFA behind it. And so it's really going to come down to ensuring that you know who's logging into your environment and you're only letting the people who you authorize and the devices that you authorize to have access into those resources, whether it's cloud or on-premise.

Kip Boyle: Okay. Okay. That's good perspective. So identity, protecting the identities of the accounts, zero trust, right? So if you've got a login request coming in from Kazakhstan and this person you don't think they're in Kazakhstan, you need to up the identification requirements on it, or just not accept it at all. So, yeah, I think that is where things are going to.

One other thing that I wanted to talk about is, you talk about smaller organizations like the S and SMB, and even some medium sized companies, tend to outsource IT, either in whole or in part to a managed service provider. In your experience is it okay for them to also let the IT manage service provider, handle the cyber security, just to take it all and just expect that they're going to do a good job with everything?

Jason Rebholz: So I think a lot of companies do this out of a matter of convenience and out of a matter from not really understanding how to vet these vendors out. I've responded to a lot of MSPs that have gotten hit and got hit with ransomware, infected their clients. And what you start to realize is that the knowledge level on security specifically will vary greatly between MSPs. There are some of them that they probably know security better than most dedicated MSSPs or MDRs, but I would say that the vast majority that are out there just haven't built that muscle on that security side, because they're more focused on the user experience and keeping things up and running and that doesn't always go hand in hand with security. And so I always recommend that when you can, look to get somebody that lives, breathes, and eats security every single day, because if that's your main mechanism to identify malicious traffic and something bad that's happening in your environment, you want to make sure that you're working with a team that knows what they're doing and that you can fully trust.

Kip Boyle: Right. Right. Right. Interestingly enough, we released an episode, Jake and I did, in the not too distant past, it came out in May of 2022 this year, it was episode 105 and it was called, Your IT Person is Not Your Cybersecurity Person, and I think you pretty much summed up that episode. We unpacked it quite a bit more than that, but yeah, that's kind of what we came up with and which is the idea that everyone's concerned about availability, IT is, we are, in our profession we're very concerned about availability, but we also have to be concerned about exploitation, integrity, confidentiality. And IT people generally aren't beaten up when they get failures in those areas. And so I just think it's natural that they're going to pay attention to the thing that they're going to get criticized the most for if they don't attend to it. And again, that would be availability. And so they just don't have a lot of muscles, many of them, some do, but many of them don't have all the muscles to handle these other things. So, oh, fascinating.
Well, so listen, is there anything else you wanted to share with our audience as far as SMB cybersecurity through the insurance tech lens that you are looking at all this through?

Jason Rebholz: Yeah. I think the main thing here is that you have to look at cyber insurance as a partner for your program, for your security program. We have a lot of interesting insights on where attacks are going and what the failure points are and that specifically ties back to the controls that we're looking at. So initiate the conversation with your cyber insurance carriers, see what they can do to support you in your journey, in securing your environment. Because there are very few companies that have aligned incentives. Cyber insurance carriers don't want you to experience a security incident. That's a loss. You don't want to experience a cyber security incident, because that's a loss for you. So it's a natural partnership and unlocking that can really help move things along.

Kip Boyle: Yeah. It's an interesting forcing function, because what I've noticed in helping brokers connect their insureds with carriers over the last several months is that you can finally put a dollar and cents amount next to some of these things. And I'd like to share an example.

So I was working with an organization that wanted to get cyber insurance and one of the requirements was that they dramatically reduce, or even eliminate, the number of Windows service accounts that had domain admin capabilities. And they were kind of scoffing at it. They're like, gosh, that would be a lot of work, do we really need to do that? What's the value? And so I was able to say, well, if you don't do the work, instead of paying $400,000 this year for your insurance premium, you're going to pay $800,000 this year for your premium, or you won't get cyber insurance at all. So you tell me, is it worth it?

Jason Rebholz: It's pretty easy math there.

Kip Boyle: Yeah. Right? And so it becomes this really obvious forcing function, right? You want to pay 400K or 800K? You make your choice, right?. And you know what you need to do if you want to pay the 400 and not the 800. So yeah, it's pretty fascinating. And then I had a conversation with a different carrier recently where they were talking about why it is that these service accounts with domain level capabilities, why that stuff is the devil. And he walked me through it and it helped me realize some of the important perspectives that insurance carriers are getting. So for example, he said of all the ransomware claims that they've processed over the last two plus years, in every single case, the attackers were able to get a domain admin account, one way or the other. Most of that was because they hijacked a service account and a minority of it, less than 50%, was because they were able to hijack a domain administrator account that belonged to an individual who was using it. How does that stack up in your experience? Is that about right?

Jason Rebholz: It sounds fairly accurate. You have to remember that these attacks usually follow the path of least resistance. And when you have these domain admin level accounts that are active on every single system, because it's a service account, you're just going to increase the likelihood that a threat actor is going to be able to pick that up from day one. So that's the path of least resistance. The fewest number of hops that an attacker has to take, they're going to do that.

Kip Boyle: Right. And you can't MFA service accounts. Right? So they're extra vulnerable because of things like that.

Jason Rebholz: Exactly.

Kip Boyle: Yeah. It's just really interesting how IT and cyber security is having its attention drawn towards things that just seemed like background noise in the past. And, but no, actually these are like super important things, but only because attackers have made them important and we've been able to discern that.

This has been a fantastic experience having you on this episode, Jason, I really appreciate that you are our guest. I want to encourage people to check out some of the videos that you've made and have made available on the Corvus website. I think you do a wonderful job of teaching people some of the things that they need to know, like multifactor authentication and so forth. I really appreciate your videos. So where can people go to connect with you and to learn from you?

Jason Rebholz: Yeah. So just as you pointed out, Corvus has some great content on their website. We just released a threat Intel blog that we're going to be releasing weekly insights on. And I'm very active on LinkedIn where I'm posting updates on the latest news and just how you can be thinking about cybersecurity. So follow me on LinkedIn and we can do whatever we can to help each other out, because security is a team sport. So we got to help each other out.

Kip Boyle: God, it's like you listen to my podcast or something. You keep saying my lines. That's really cool. Jason, would it be okay if I put your LinkedIn URL into the show notes? Would that be all right?

Jason Rebholz: Yeah, absolutely.

Kip Boyle: Okay. I'll do that. And thank you so much for being here. Ladies and gentlemen, that wraps up this episode of the Cyber Risk Management podcast. And unfortunately, without our friend Jake Bernstein, but he will be back. But today we looked at cybersecurity for companies with less than $1 billion of annual revenue, which we call the SMB market, believe it or not. And we did that with our guest, Jason Rebholz. Thanks everybody and we'll see you next time.

Speaker 1: Thanks for joining us today on the Cyber Risk Management Podcast. If you need to overcome a cyber security hurdle that's keeping you from growing your business profitably, then please visit us at cr-map.com. Thanks for tuning in. See you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).


Jake Bernstein
K&L Gates LLC

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.