Cyber incidents are becoming more frequent, targeted, sophisticated and costly, with a projected $10.5 trillion annual global cost by 2025. To better understand the evolution of cyber attacks and their impact on organizations, host and Engagement Management Leader for Cyber Solutions, Stroz Friedberg, an Aon company, Rachel Ratcliff welcomes Aon’s North American Head of Incident Response and Digital Forensics Incident Response Practice Leader for Stroz Friedberg, an Aon company, Jonathan Rajewski and Aon’s VP and U.S. Broking Growth Leader for Aon’s Cyber Solutions, Samantha Billy, for a conversation about the what, when and why of the proactive approach to this costly problem — cyber threat hunting.
Additional Resources:
E&O and Cyber Market Review – Midyear 2022
Threat Hunting For COVID-19: Leveraging Threat Intelligence To Drive Cyber Security Defenses
Aon Completes Acquisition Of Risk Management Firm Stroz Friedberg
Tweetables:
Voiceover:
Welcome to “On Aon,” a podcast featuring conversations between colleagues on, well, Aon. This week, we hear from Jonathan Rajewski and Samantha Billy about cyber threat hunting. And now, this week’s host, Rachel Ratcliff.
Rachel Ratcliff:
Hi, my name is Rachel Ratcliff and I'm the engagement management leader for Aon’s Cyber Solutions. I've been a colleague at Aon since 2016 when my firm, Stroz Friedberg, was acquired by Aon. I also, get to serve as the head of our Dallas, Texas group of Aon Cyber Solutions, and I have the esteemed pleasure of getting to spend every day working with some of the smartest and hardest-working people that you could ever put in a room.
With me today are two such people, Jonathan Rajewski and Samantha Billy, who are here today to chat with us about threat hunting. Jon Rajewski has been at Aon since 2019, and currently serves as Aon's North American head of instant response and digital forensics incident response practice leader. Samantha Billy has been at Aon for over nine years and currently fills the role of vice president and U.S. broking growth leader for Aon's cyber solutions group. Thank you both So, much for being here today. So, before we get started, I'd love to have the listeners hear more about your roles in the firm. Samantha, can we start with you?
Samantha Billy:
Yes. Thanks, Rachel. I am honored to be here today as part of the On Aon podcast. I'm extremely passionate about knowledge sharing as well as helping clients improve their cybersecurity posture. So, I'm So, excited to be speaking today. To answer your question, I am responsible for leading the U.S. growth and pipeline strategy for the cyber and E&O brokerage team. In my role, I'm accountable for maximizing revenue growth and helping clients with their cybersecurity posture with new products, approaches, services and solutions based on a deep understanding of the insurance marketplace and insured's needs.
Jonathan Rajewski:
Thanks, Rachel. So, I am very happy to be here because I love doing what I do here for Aon. So, hi, my name is Jon. I work at a company called Stroz Friedberg. I'm the head of incident response for North America. And what that means is basically I lead a team that helps clients on their worst days. We help them when they're dealing and navigating cyber incidents. I lead an amazing team. I would say our team is the best, and we have great, skilled practitioners that helps clients navigate some very turbulent waters, and I'm very happy to be here.
Rachel Ratcliff:
Fantastic. Well, thank you both So, much for sharing. So, let's just jump right in. So, first off, I would like to set the scene for people. Over the last couple of years, the cyber threat landscape has gotten pretty scary, and everyone here has had a front row seat/ Jon, you and I have worked some doozies together. You have seen thousands of examples out in the field of what's going on. How have you seen cyberattacks evolve? And what's the impact that this has really had on organizations?
Jonathan Rajewski:
Yeah, Rachel. We've had a lot of interesting engagements together, and I'm here to say that cyberattacks continue to not only evolve, but they're becoming more frequent, targeted, sophisticated and costly for organizations of all sizes. If you look back 24, 36 months, we've seen threat actors evolve from... You could describe them as like a startup. They've had very sophisticated techniques, but they've grown and scaled their operations to be able to impact global organizations. We're seeing sophistication levels increase. We're seeing small organizations being impacted because of third-party relationships that they have. We're also, seeing, unfortunately, some organizations like school districts getting hit or governmental local governments being impacted by threat actors, which is disrupting all kinds of things. When you think of how organizations are impacted by cybercrime, it's not just the organization that's impacted. It's also, their customers or their employees that are finding themselves impacted as well because sometimes, when we're talking to organizations who's dealing with a cyber event, they're not able to make payroll because the system that processes that payroll is actually impacted by the cyber threat actor.
So, we're seeing the frequency increase. We're seeing targeted attacks occurring. Sophistication, obviously mentioned is increasing, but also, the cost. Business interruption is a big factor here where if a company can no longer make transactions or perform the normal business activities, it's causing a loss.
Rachel Ratcliff:
You make some great points, Jon, and it's consistent with what I have seen as well, that no one is immune from cybercrime now. No industry is immune. No market segment is immune. It impacts everyone across the board in a way that may not have been true even as recently as two or three years ago. Samantha, and let me just ask this off the top. Can I call you Sam? Because I know that I'm going to slip during this interview and call you Sam anyway.
Samantha Billy:
Absolutely.
Rachel Ratcliff:
Thank you. Thank you. Samantha, how have you seen this evolving threat landscape change the cyber insurance marketplace?
Samantha Billy:
Yeah. Sure. So, as Jon said, the cyber threat landscape has become more frequent, evolved, targeted, sophisticated and last but not least, more costly. As such, insurers have suffered increased frequency and severity of cyber losses. Given this loss environment, the cyber marketplace has become much more hardened. Over the last two years, insurers have increased pricing, limited and even removed coverage grants, decreased the amount of capacity they would put on risk and increased retention. The year-over-year average price increase since September 2021 is just under 100 percent. In addition, since September '21, about 50 percent of our clients have experienced retention increases and about 10 percent of the clients have experienced reduced limits. On top of all these changes, coverage restrictions have been introduced to the cyber marketplace, such as ransomware restrictions, systemic risk limitations and business interruption coverage changes. Overall, the changing marketplace and the landscape has changed the cyber insurer marketplace to be much more hardened too.
Rachel Ratcliff:
Well, I think that we effectively brought the doom and gloom to the first part of the podcast, but that's okay because there are so many opportunities to help. And threat hunting is one of my favorite things to talk about because selfishly, it folds into my favorite thing that we get to do at Aon, which is help our clients make decisions that will help them avoid big, big problems down the road. So, let's put that in a bit more context for our listeners. What exactly is a threat hunt? And when should organizations be thinking about conducting a threat hunt? Jon, can you speak to that?
Jonathan Rajewski:
Sure. Thanks, Rachel. And simply put, cyber threat hunting is a great instrument for organizations to use to demonstrate if their existing cyber resilience is actually working, if they test. And I will compare this to the real world for me personally. Every year, a couple of times a year, I go to the dentist. And when I sit in that dentist chair personally, I really want to be a boring patient. I work all year with my dental hygiene, trying to make sure when I get into that chair, I'm not going to hear news that I'm not expecting. So, same is true with a cyber threat hunt. If someone needs a cyber threat hunt, an organization, nonprofit, big corporation, or they want to check to make sure that their IT or security controls are actually working, functioning the way they should, a cyber threat hunt is essentially a team of professionals trying to find evil within the infrastructure. So, known compromise or unknown compromise or evidence of a prior compromise, something that can elevate risk to the organization. So, think of it like finding unknown unknowns.
And I'm here to tell you that when our team performs these threat hunts, they find things. So, what do they find? They find evidence of existing, actual unauthorized access to networks. And that's a scary thing because this could very much be a pre-ransomware event, like you have someone who has initial access to an email account or to a computer system that ultimately will allow them to make destructive impact to the organization. So, being proactive with a threat hunt is a good idea. And I would recommend just like how I do, I personally go to the dentist a couple of times a year for those cleanings and for those checkups because I do want to be the boring patient. And when companies are looking to do threat hunting, they're demonstrating that, "Hey. I do have this capability. I'm going to take advantage of this opportunity to really make sure that no one's in the systems."
So, when do companies do this most often? And I would say it needs to be a part of the regular plan, maybe once minimum, maybe multiple times a year. I've actually seen some organizations bring this in house. Some more sophisticated, larger institutions will actually have a team of people that do this every single day. And it's a great thing to do because you're trying to find those unknown unknowns. But we've also seen companies do this just as their regular hygiene schedule, but also during M&A activity. So, there's about to be a merger or acquisition going on and a company wants to make sure who who's buying a company, that company does not have a breach already within the infrastructure because that's an increased risk to the company that's buying it.
So, there's a lot of reasons that companies want to choose to do a threat hunt. But the last reason I'll share is a company... And we sometimes get this. They think the boogeyman is in the house or in the network. And there's a reason. "Well, we were vulnerable to a vulnerability that just got published and I'm seeing in the news. And our team thinks they patched it, but can your team just come in?" This is a good reason. "Can your team come in and just look for us? Because our team is good. They keep the infrastructure running, but they don't do incident response for threat hunting every single day." So, bringing in a team of professionals to do that is a great idea.
Rachel Ratcliff:
Now I love your analogy, Jon, about going to the dentist. And props to you and your dentist for the dental hygiene that you have. It reminds me of when I went in a couple of years without going to see my dentist, and that turned into a very costly mistake for me, just like it can for corporations. But I think what I really respond to out of your comments is that threat hunting really is part of an overall plan that folds into cyber resilience. And cyber resilience is something that's becoming more and more crucial for businesses. How can threat hunt really help businesses achieve cyber resilience? Samantha, let's hear from you first on that.
Samantha Billy:
Really great question. Threat hunting is probably one of the best tools that can help minimize a company's exposure from top to bottom for the entire cyber risk loop viewpoint. From a proactive or a mitigation perspective, insurers can potentially capture a bad actor before they even intrude the system. From a reactive or a recovery side perspective, insurers can minimize the potential harm a bad actor that is already in the system to systematically threat hunt your network, reduce the amount of time they're in there and how long the attack will take place. And lastly, from a risk transfer perspective, underwriters see threat hunting as one of, if not the best tool to help minimize the financial implications of a cyberattack, allowing for more favorable risk transfer results.
Rachel Ratcliff:
That's great, Sam. It makes me think about just the value that you can have in the proverbial ounce of prevention on the front end before you hit problems on the back end. Jon, what about you? What are your thoughts around cyber resilience and how threat hunting pulls into the mix?
Jonathan Rajewski:
So, when it comes to cyber resilience and threat hunting, I know that companies' infrastructures are all different. I mean, we talk to companies every single day dealing with a cyber incident. And one of the first things we do is ask about how did it happen? When did they realize it happened? And tell us a little bit about your infrastructure So we can properly find and understand what the threat actor was doing within the infrastructure. When we threat hunt, we do a very similar thing.
But one of the last things I want to do is actually have the conversation after the event occurred. I'd rather have that proactive conversation with the client and help them with the resilience side because I believe that the companies that are pushing towards the understanding of the unknown unknowns earlier in the process are in a far better position and ultimately risk profile in the future. I mean, they're truly putting their network to the test, which by the way, cyber resiliency isn't just threat hunting. It's a piece of the puzzle and it's something that companies should be investing in to demonstrate that they're actually getting it right.
Rachel Ratcliff:
Now, you raise a good point, and it makes me think about the types of things that you often find as a product of threat hunting. Obviously, you are in the environment looking for that potential bad actor lying in wait. You're looking for that clear vulnerability. But I find a lot of times too, our clients are discovering bad cyber hygiene that may be hanging out within their network that may not be a problem yet, it may not have allowed a bad actor into their environment yet but doing that threat hunt allows for organizations to do a cleanup and address gaps before they become an issue. And I love that proactive piece. So, another question for you, Jon, it's been my experience that threat hunting means different things to different people. I've heard clients say, "Well, I've got antivirus running in my environment. I'm taking a look at the EDR ever so often. I feel like I'm covered." Are all threat hunts created equal?
Jonathan Rajewski:
No. Next question.
Rachel Ratcliff:
[inaudible 00:15:33].
Jonathan Rajewski:
But look, I think an EDR, for those listeners who aren't cyber people, EDR is like a table stake and it stands for endpoint detection and response tooling. And a lot of companies that have EDR in place basically have a security system on their computers, and it's a nice feature to have. And actually, I'll let Sam comment on this, but it may be a table stake for some insurance carriers. They require it because it is such an important piece of the cyber puzzle. But do you need EDR to do a threat hunt? No. There's multiple ways to do a threat hunt. And I would argue that some EDR, let's say it's good to have, can be leveraged in a way to go look for evil, but it doesn't look at everything. And because I mentioned earlier, every network's unique and complex, you really need a custom solution potentially depending on your infrastructure designed for your specific threat hunts. You can't just put a software on it and think the threat hunt's going to be performed.
For example, endpoint detection and response tooling does not run on email infrastructure in the cloud. So, if you want a threat hunt on the email infrastructure in the cloud, that's a very specific thing. And when we look at threat hunts or designing threat hunts for customers, we basically have the conversation. Where is your infrastructure? Do you know where it is? Do you know where your IT assets are? What type of software is on those assets? Because if we can leverage assets in their environment like EDR, that's great, but we're also, going to bring other tooling in. Come up with another fun analogy here. If I call a plumber to my house, the plumber doesn't expect me to have all the tools they need to fix my plumbing. If you call our team in to perform a threat hunt, we're going to bring the tools that we need to do the threat hunt, and it doesn't matter what your environment looks like because we have so many different tools that can work and effectively help us efficiently go through the network systematically to find potentially evil things throughout it.
Rachel Ratcliff:
That's great. Sam, building on Jon's comments around tooling in network environments, how does that factor into discussions around coverage and renewals? Can you speak to that?
Samantha Billy:
I think that five or six years ago, the underwriting process around cyber submissions used to be maybe one page, six questions, and the insurers might ask a question that was more to check the box such as, "Yes or no. Do you have endpoint detection of response?" And that would be the end of the question, end of response. Given the loss experience of insurers over the last few years, they have so much more data and experience around the space, and they really see how the different threat hunting capabilities increase or decrease the potential loss and the risk exposure for companies. So, as such, the underwriting process is much more expansive and really digs into understanding what are your threat hunting capabilities, and they evaluate the risk based on such a company's capabilities. And if you don't have the highest level of capabilities, you will not get the coverage that you need, maybe higher pricing. These are almost requirements nowadays to have the best of the best and really understanding the risks.
Rachel Ratcliff:
Wow. So, as our threat actors have become more sophisticated, so becomes our responsibility to stay sophisticated in the context of tooling and methodology for putting ourselves in the best position for coverage with the underwriters. Really interesting. Well, I want to end the substantive portion of our talk today talking more about cyber resilience. Now we've talked about threat hunting as part of a holistic approach to managing cyber risk. And I would love to hear from both of you about examples of when you've helped a client achieve that kind of multifaceted approach to cyber risk. Jon, you want to start?
Jonathan Rajewski:
So, our team has performed thousands of incident response and threat hunts for customers. And in our experience, we've seen things. And during those engagements, we're always communicating with the customer and we're trying to let them know exactly what happened, why it happened and what they can do to improve their overall security posture. During an incident response engagement, we're there to help that customer get up as quickly and as safely as possible, and we're going to help understand exactly what the criminal did when they were in the infrastructure, how they did it, so when that customer is rebuilding the infrastructure, they don't rebuild with problems. Right?
Rachel Ratcliff:
Thanks, Jon. Sam, what about you?
Samantha Billy:
We have multiple examples, but I'll just give one recent example. Recently, we've had one brokerage client that suffered a cyberattack. We were able to help them from an insurer's perspective through the placement of the policy as well as managing the claim or the event with the insurers. Yet not only were we able to help the client on the risk transfer side, but we also had a retainer with them with Aon, and we were able to help work with them with our digital forensics and incident response team and to make a better result to help mitigate risk from the recovery side. In addition, due to the event, the company is now looking to introduce Aon to help with broader threat hunting capabilities from a proactive perspective and reduce the risk in the future. By having this cyber loop risk approach, the client has been extremely happy as they felt like Aon was a partner throughout this raise awareness process. So, really important to have a process from beginning to end and work together as a team because cyber resiliency is a culture overall.
Rachel Ratcliff:
I love those comments. Cyber resilience is a culture, cyber resilience not being stagnant. And forgive me, I can't help but add my own example here. But I think about the opportunities that we have had to work with very complex organizations, albeit either private equity with a number of portcos, large organizations with multiple subsidiaries or even new startup companies who are acquiring new portions of their business. All of these types of organizations inherit very complex cybersecurity issues, and it's fun to get to work with them to solve those types of issues.
A very common scenario that we have seen is for a parent organization trying to wrap their arms around what are the varying levels of security and cyber resilience in the organizations that fall under mine? That's a great opportunity to come in and do threat hunting to figure out what's in the environment, to do assessment work as well to get a base level of cyber maturity amongst groups, and to fold that information into an ongoing conversation not only about incident response, but about risk mitigation and ultimately risk transfer. Those are the fun conversations to have. And finally, a bit of fun to close us out today, I would like it, Sam and Jon, if you would oblige me in a lightning round of personal information, none of which hopefully rolls into your own security questions that you use online. Just cybersecurity tip for the day. But Samantha, can we talk to you first? Three quick questions. Are you ready? Your favorite trip?
Samantha Billy:
I went to Croatia and did yacht week.
Rachel Ratcliff:
Oh. Dang. That's good. What is your favorite thing to do outside of work?
Samantha Billy:
Time with my family and friends. Thank God we're on a podcast because I have no dark or pale, but I love the beach and traveling too.
Rachel Ratcliff:
Very good. And finally, a fun skill for you that is not on your resume.
Samantha Billy:
Actually, an okay field hockey player. I was on the U-16 national team and went to college for it too. So, I've lost all those skills, but I used to be pretty good overall.
Rachel Ratcliff:
Holy cow, Samantha Billy, you are a mystery wrapped in an enigma. Okay. Jon, that leaves a lot of room for you. So, you better make this good, friend. Your favorite trip.
Jonathan Rajewski:
Favorite trip was a family trip to Barbados. It was just a great time with the family, living out on a beach. I actually tried to figure out how to live in a container there for a couple of hours and then realized I needed more stable internet.
Rachel Ratcliff:
The world is better for not having you in a container, Jon Rajewski. Your favorite thing to do outside of work?
Jonathan Rajewski:
Family. So, either it's me taking my kids to sports or spending time with my wife. I love just spending time with family.
Rachel Ratcliff:
Multiple sporting family. Very good. And finally, a fun skill that you have that is not on your resume.
Jonathan Rajewski:
I decided about 15 years ago to get into bonsai. So, I build bonsai trees like you would see in giant Japanese gardens. And I look forward to continuing to hone that skill as I get older.
Voiceover:
This has been a conversation “On Aon” and cyber threat hunting. Thank you for listening. If you enjoyed this week’s episode, tune in in two weeks for another new episode. To learn more about Aon, its colleagues, solutions and news, check out our show notes, and visit our website at Aon dot com.