Lucidum and Cyber Insurance Requirements

Cyber liability insurance provides businesses with insurance that protects the company in the event of data breaches and other cyber security issues.

In 2021, the cyber insurance market continued to grow. The growth was fueled by high-profile cyber events and the ensuing massive payouts. Mordor Intelligence estimates that the cybersecurity insurance market was $9.29B in 2021, and they expect it to reach $28.25B by 2027.

According to ComputerWeekly (https://www.computerweekly.com/feature/What-to-look-for-when-taking-out-a-cyber-insurance-policy?), cyber insurance is a worthwhile investment for companies as part of their overall risk management plans. According to Forbes (https://www.forbes.com/advisor/business-insurance/cyber-liability-insurance/), “Any business that stores or processes sensitive information should consider cyber liability insurance.”

Requirements for Cyber Insurance #

To be eligible for cyber insurance, cyber insurance providers require that customers meet stringent security standards.

The following list includes the combined requirements from the Cyber Insurance Academy (https://www.cyberinsuranceacademy.com/knowledge-hub/guide/cyber-insurance-minimum-requirements/), tenfold security (https://www.tenfold-security.com/en/cyber-insurance/), and AgileIT (https://www.agileit.com/news/cyber-insurance-requirements-changing-2022/ ):

• Endpoint Detection and Response (EDR) implemented on all endpoints and kept up to date

• Multi-Factor Authentication (MFA) is implemented and required for all remote access

• Identity and Access Management (IAM) for ad-hoc privileges and restricted network access

• Policy of least privilege (PoLP) and Privileged Access Management (PAM) to monitor accounts with privileged access

• VPNs to protect remote access

• Patch Management policies that keep all software up to date

• Backups that ensure business data is regularly backed up to an external site or secure cloud service.

• Antivirus software installed on all laptops and servers and kept up to date.

• Firewalls to protect all network access points

How Does Lucidum Help? #

Lucidum can monitor the status of all assets and users in your environment to ensure you meet the requirements for cyber insurance.

Connectors #

Find All Assets and All Users in Your Environment #

To find all the assets in your environment, including nomadic/roaming devices and mobile devices:

1. Lucidum recommends you configure Lucidum connectors for:

   • The Endpoint Management solutions in your environment (for example, Jamf, Intune, Citrix Endpoint Management, Symantec Endpoint Management, Hexnode)

   • The Endpoint Protection solutions in your environment (for example, Trellix Endpoint Security, Symantec Endpoint Protection, SentinelOne, Crowdstrike Falcon, Microsoft Defender for Endpoint )

   • The Mobile Device Management solutions in your environment (for example, Addigy, Citrix Endpoint, Jamf Pro, Kandji)

   • The directory solutions in your environment (For example, Azure AD, Microsoft AD, Jump Cloud, PingOne, OpenLDAP,)

   • The DHCP solutions in your environment (For example, Infoblox, Efficient IP, BlueCat)

   • The VPN solutions in your environment (For example, Cisco AnyConnect, FortiClient, Palo Alto VPN, Citrix Gateway, Zscaler Private Access)

   • The cloud solutions in your environment (for example, AWS, Azure, Google Cloud, Oracle Cloud)

2. After Lucidum ingests data from these systems, Lucidum uses graph data, machine learning, and predictive analytics to detect and classify all assets and users, even those not detected by the solutions in your environment.

3. You can then create queries to find a list of all assets in your environment.

   • In this case, our query is: “Lucidum Asset Name exists”

   • This query finds all assets that Lucidum has discovered

4. The query results display all the assets in your environment.

5. You can easily filter and sort the query results and create dashboards.

   

6. To see new assets that have been added in the last week:

   • You can create the query: “Lucidum Asset Name exists AND First Time Seen was within the past 7 days”

7. You can then create queries to find a list of all users in your environment.

   • In this case, our query is: “Lucidum User Name exists”

   • This query finds all users discovered by Lucidum

8. The query results look like this:

   

9. You can easily filter and sort the query results and create dashboards.

   

Find Assets without Endpoint Detection and Response #

To find all assets in your environment that are not running and Endpoint Detection and Response solution:

1. Configure Lucidum connectors for:

   • the Endpoint Detection and Response solutions in your environment (for example, SentinelOne, Falcon Crowdstrike, Trend Micro XDR, Check Point Harmony Endpoint, Cortex XDR)

   • the cloud security solutions in your environment for cloud assets (for example, Netskope, Illumio Core, Orca, Tenable Vulnerability Management, Trend Micro Cloud One, Sophos Central)

2. After Lucidum ingests data from these solutions, you can then create queries to find a list of assets without EDR.

   • In our example, we are using SentinelOne for EDR for on-premises assets.

   • Our first query is: “find assets where cloud Asset is no AND data sources do not match sentinelone_agent”

   • This query finds assets records for on-premises and VM assets that do not include any data from SentinelOne. In our environment, if assets that don’t have any data from SentinelOne, this means that these assets are not running EDR.

3. These query results show all on-premises and VM assets without EDR:

   

4. You can include this query and its results in a dashboard.

   

5. To remediate, you can install Endpoint Detection and Response on all assets where it is not installed.

6. After Lucidum ingests data from these solutions, you can then create queries to find a list of cloud assets without cloud security.

   • In our example, we are using Netskope, Orca, and Tenable Vulnerability Management for cloud security

   • Our second query is: “find assets where cloud asset is yes AND data sources do not match Netskope OR Orca OR Tenabe.io”

   • This query finds assets records for cloud assets that do not include any data from Orca, Netskope, or Tenable Vulnerability Management. In our environment, if cloud assets don’t have any data from Orca, Netskope, or Tenable Vulnerability Management, this means that these assets are not running cloud security.

7. These query results show all cloud assets without cloud security:

   

8. You can include this query and its results in a dashboard.

9. To remediate, you can install cloud workload protection on all cloud assets where it is not installed.

10. Perform step #2 and step #6 again until there are no results.

11. Run these queries frequently to ensure compliance.

Find Users Who Do Not Use Identity and Access Management #

To find all the users in your environment who do not Identity and Access Management:

1. Configure Lucidum connectors for:

   • the identity and access management solutions in your environment (for example, Okta, AWS IAM, PingOne, OneLogic, SecurAuth)

2. After Lucidum ingests data from these solutions, you can then create queries to find a list of users without IAM.

   • In our example, we use Okta and AWS IAM for users.

   • Our query is: “find users where the data source does not match Okta AND the data source does not match AWS IAM.”.

   • This query finds users whose records do not include any information from Okta and do not include any information from AWS IAM. In our example environment, this means that these users are not using IAM.

3. The query results show all users who are not using an IAM solution:

   

4. You can also include this query and its results in a dashboard.

   

5. To remediate, you can add these users to an IAM solution.

6. Then perform step #2 again until there are no results.

7. Run this query frequently to ensure compliance.

Find Root Accounts That Are Not Managed with Privileged Access Management (PAM) #

To find users who have admin privileges and are not monitored with a privileged access management solution:

1. Configure Lucidum connectors for:

   • Privileged access management (PAM) (for example, CyberArk, BeyondTrust, HashiCorp, SecureONE, Thycotic)

2. After Lucidum ingests data from these solutions, you can then create queries to find a list of users with administrator access and who don’t use PAM.

   • In our example, we use Thycotic.

   • Our query is: “find users where User Admin is yes AND where data sources do not match thycotic”

   • This query finds users who have administrator privileges but do not include any data from Thycotic. In our environment, this means that these users are not monitored with Thycotic PAM.

3. The query results show all users who have administrator privileges and are not monitored with a PAM solution.

4. You can use these query results in a dashboard.

5. To remediate, you can add these accounts to your PAM solution.

6. Then perform step #2 again until there are no results.

7. Run this query frequently to ensure compliance.

Find User Who Do Not Use Multi-Factor Authentication (MFA) #

To find all the users in your environment who do not use MFA:

1. Configure Lucidum connectors for:

   • the multi-factor authentication solutions in your environment (for example, Duo, Microsoft Azure AD, Microsoft Authenticator, RSA SecurID, HYPR Passwordless )

2. After Lucidum ingests data from these solutions, you can then create queries to find a list of users without MFA.

   • Our query is “find users where MFA status matches no”.

   • This query finds users whose records do not include information about MFA. This means that these users are not using MFA.

3. The query results show all users who are not using an MFA solution:

   

4. You can also include this query and its results in a dashboard.

   

5. To remediate, you can add these users to an IAM solution.

6. Then perform step #2 again until there are no results.

7. Run this query frequently to ensure compliance.

Find Remote Assets That Do Not Use VPN #

1. Configure Lucidum connectors for:

   • the VPN solutions in your environment (for example, Cisco AnyConnect, Fortinet FortiClient, Aviatrix, Zscaler, OpenVPN)

2. After Lucidum ingests data from these solutions, you can then create queries to find a list of assets that don’t use VPN.

   • In our example, we use Palo Alto VPN for VPN.

   • Our query is: “find assets where data sources do not match pan_vpn_log AND asset type is workstation”.

   • This query finds asset records for workstations that do not include any data from Palo Alto VPN. In our environment, this means that these workstations are not using VPN to connect to the corporate network.

3. The query results show workstations that are not using a VPN solution:

   

4. You can also include this query and its results in a dashboard.

   

5. To remediate, you can install a VPN solution on these workstations.

6. Then perform step #2 again until there are no results.

7. Run this query frequently to ensure compliance.

Find Assets That Are Not Being Patched #

In most cases, the Endpoint Detection and Response (EDR) solutions in your environment (for example, SentinelOne, Falcon Crowdstrike, Trend Micro XDR, Check Point Harmony Endpoint, Cortex XDR) also manages updates and patches for operating systems and applications.

However, if the EDR is not kept up to date on assets, patching is also not kept up to date on those assets.

To ensure that EDR is kept up to date and therefore patches are up to date:

1. Configure Lucidum connectors for:

   • the Endpoint Detection and Response solutions in your environment (for example, SentinelOne, Falcon Crowdstrike, Trend Micro XDR, Check Point Harmony Endpoint, Cortex XDR)

2. After Lucidum ingests data from these solutions, you can then create queries to find a list of assets where the EDR agent is not up to date.

   • In our example, we are using Veeam

   • Our query is: “find assets where asset type is VM OR asset type is server OR asset type is workstation AND Risk Factors match Endpoint Protection Not Updated”

   • This query finds assets with a risk factor of “endpoint protection not updated”

3. The query results show all VMs, workstations, and servers where the endpoint agent has not been updated:

   

4. You can use these query results in a dashboard.

5. To remediate, you can update the EDR agent on all the assets in the query results.

6. Then perform step #2 again until there are no results.

7. Run this query frequently to ensure compliance.

Find Assets That Are Not Included in Backups #

To find assets in your environment that are not backed up:

1. Configure Lucidum connectors for:

   • the server and VM backup or disaster recovery solutions in your environment (for example, Arcserver, Barracuda, Datto, Nasum, Veeam, Veritas)

2. Configure Lucidum connectors for:

   • the cloud backup solutions in your environment (for example, AWS Backup, Azure Backup, Barracuda cloud, Google Cloud Backup)

3. After Lucidum ingests data from backup solutions, you can then create queries to find a list of server and VM assets that are not backed up.

   • In our example, we are using Veeam

   • Our query is: “find assets where asset type is server or VM and data source does not match Veeam”

   • This query finds server assets and VM assets with no data from Veeam. In our environment, if asset records do not have information from Veeam, they are not being backed up.

4. The query results display the server and VM assets that are not regularly backed up.

5. You can use these query results in a dashboard.

6. To remediate these assets, add them to a backup solution.

7. After Lucidum ingests data from cloud backup solutions, you can then create queries to find a list of cloud assets that are not backed up.

   • In our example, we are using AWS Backup

   • Our query is: “find assets where cloud asset is yes AND data source does not match AWS Backup.

   • This query finds cloud assets with no data from AWS Backup. In our environment, if cloud asset records do not have information from AWS Backup, they are not being backed up.

8. The query results display the cloud assets that are not regularly backed up.

9. You can use these query results in a dashboard.

10. To remediate these cloud assets, add them to a backup solution.

11. Perform these steps frequently.

Find Assets That Are Not Running Anti-Virus #

To find assets that are not running Anti-Virus software:

1. Configure Lucidum connectors for:

   • the anti-virus solutions or vulnerability management solutions in your environment (for example, Burp Suite, Cycognito, Greenbone, Kenna, MS Defender, Qualys, Rapid7, Tenable, Vulcan)

2. After Lucidum ingests data from these systems, you can then create queries and dashboards that display information about vulnerability scanning.

3. To find assets without vulnerability scanning,you can write a query like:

   • In our example, we use Tenable for vulnerability scanning.

   • Our query is “Lucidum Asset Name exists AND Vuln Scan is not Yes”

   • Our query finds asset records that do not include vulnerability scanning.

4. The query results display all assets without vulnerability scanning:

   

5. You can also include this query and its results in a dashboard.

   

6. You can then remediate by adding vulnerability scanning to these assets.

7. Then perform step #2 again until there are no results.

8. Run this query frequently to ensure compliance.

Firewalls #

To find all firewalls in your environment:

1. Configure Lucidum connectors for:

   • the firewall solutions in your environment for cloud and on-premises (for example, AWS WAF, Fortinet Fortigate, SonicWall, FireMon, Cisco Umbrella, Palo Alto)

2. After Lucidum ingests data from these systems, you can then create queries and dashboards that display information about firewalls.

   • Our query is “Asset Type matches Network.Firewall OR Asset Type matches Firewall

   • Our query finds hardware firewalls (Network.Firewall) and cloud firewalls (Firewall).

3. The query results display all firewalls in your environment: