Here’s a simple framework for predicting where the InfoSec market is heading using cyber-insurance:

1/ Cyber-insurance is becoming increasingly mandatory for businesses, protecting them and third parties from financial losses.

If this trend continues, what happens next? 🧵👇 2/ To manage risk, cyber-insurers become increasingly prescriptive—requiring specific security controls before extending coverage. Policies will be tied to security controls that demonstrably reduce financial loss.

Over the last several years, tons of insurance carriers rushed into the cyber market to take advantage of corp demand. The market grew incredibly fast (still is!). Many carriers signed up clients with bad risk profiles and are now suffering the financial consequences of breaches. Consequently from all the ransomware, etc… we should expect many cyber-insurance carriers to exit the market over the next couple years. Some carriers fared way better than others. It’s basically a shake out beteen those able to identify good risk vs bad.

When I first started training Brazilian Jiu-Jitsu, I'd get tapped 20 times a class. While it was still fun, let me tell you being tapped repeatedly every night for months sucked. I’m not going to lie, it was incredibly discouraging and I contemplated giving up many times. /1 I discussed this with my instructor, who gave me one of the greatest BJJ and life tips. He said instead of thinking of BJJ as getting a tap or being tapped, track progress by how many fewer times you get tapped each night, and the how long you survive between taps. So, I did. /2

Right now we’re at the birth, or very very early stages, of an industry called “Attack Surface Management. (ASM)” I know what this feels like and looks like having also been present at the birth of the“Application Security” industry. /1 How the ASM market will evolve over time will be a fascinating experience as it’ll have an enormous impact on essentially every adjacent market of the Information Security industry — and the overall security posture of the Internet. Here’s how I think things will play out… /2

I remember when @BillGates published Trustworthy Computing Memo in 2002, changing Microsoft’s course. As the @WhiteHouse just posted "Executive Order on Improving the Nation’s Cybersecurity”, it feels like a similar moment and being taken seriously.

whitehouse.gov/briefing-room/… @BillGates @WhiteHouse There’s A LOT in there, which are hard to say are bad idea...

Remove barriers to threat intel sharing, mandatory breach reporting, develop standard DFIR playbook, use Zero Trust, use The-Cloud, do MFA, do EDR, do data encryption at-rest and in-transit...

“Today’s" ransomware tools were built using the profits from “yesterdays" attacks. Consider how much how in BTC ransomware groups received in 2015-2020. This period BTC went from a couple thousand to tens of thousands. They made billions, and likely sitting on billions more. Ransomware group have crazy R&D budget access and as BTC rises in value, it gets just that much more powerful. For the forseeable future, we’ll be fighting against some of the most powerful cyber-criminal tooling we’ve ever seen.

In 1999, Microsoft was ruled a monopoly. In 2002, Bill Gates announced the Trustworthy Computing Initiative. Over the next decade they made great improvements in software security. No one disputes this... However, nearly 20 years since TWI a large number of 0-days are floating around and hundreds of thousands of companies are getting hacked. Millions of people too. And of course, this isn’t just restricted to Microsoft — other companies are decades behind.

Many InfoSec industry reports state that exposed Remote Desktop Protocol (RDP) ports are a leading cause of breaches. One cyber-insurance carrier told me they will not write policies for those with open RDP. So, I was curious how prevalent RDP is across top U.S. companies. /1 I used Bit Discovery to analyze the external asset inventories (attack surface map) of 102 top U.S. companies, organized by 9 industry segments, looking for assets that had listening RDP ports (3389) at some point within October. /2

Ransomware gangs have been causing an extreme amount of damage lately. We saw these events coming years off, it was predictable, and we can only expect more of the same. Doing something about this problem is not as simple as just saying, “don’t pay the ransom.” There is a lot to be learned about this marketplace of crime, and how to most effectively deal with it, by studying the history of kidnapping & ransom — specifically high-seas piracy.

In AppSec, it's basically impossible to know for certain that you’ve found all the vulns in a given website. For similar reasons, the same is true in Asset Inventory. It’s impossible to know that you’ve found all a companies Internet-connected assets. There is always a discomfort level in this understanding. But what I’ve found is that if you’re diligent and follow a process that accounts for all the known discovery techniques, the odds of an adversary exploiting a missed area and causing harm is exceedingly low.

For those who enjoy thinking about hard problems, I have one for you.

Generally speaking, companies like to know how much something is worth — such their own IT assets. How do go about valuing a given website or Internet-connected asset in actual dollar terms? Now, lets you take their main website — or any of their websites. You know the FQDN, ip-address(es), who owns it, hosting county, technology stack meta-data, relative traffic volume, if it's revenue generating, data sensitivity, etc.

Over the last few years, I attended 4-6 conference each year. Of course many of the presentations were informative, but often the hallway track was even more educationally valuable. With COVID-19, the hallway track is now gone and cannot be replaced by social media. I used to get answers to important questions I didn’t even know to ask. Topics and discussions points would just come up in natural conversation about the work people were doing day to day.

We published Bit Discovery’s very first statistics report! Years in the making. While ‘we' know a lot about the Internet and what’s connected, what's missing is a notion of who owns what online. Which turns out to be, incredibly useful and interesting. assetreport.bitdiscovery.com We created inventories of all the Internet-connected assets belonging to the top 10 U.S. automakers, banks, hotels, retail, tech, etc. Then broken down their inventory by median # of assets, domain names, hosting countries, % of cloud hosted assets, etc.

I often look at problems from an economic perspective. In the case of police, there's 800K+ law enforcement officers in the U.S. Assuming X% are unfit for the job, which may be a big number, what private businesses would voluntarily hire the unfit ones for what job exactly? Given the current U.S. unemployment figures and general ecomomic conditions, this presents a financial and taxation conundrum — if nothing else.

I’d like to share a quick little story. I live in and come from a small town in Maui, Hi (pop. ~8,000). The people are super sweet, come from all walks, but the area itself is on the poorer side of the economic spectrum. Most everyone lives week to week, if not day to day. /1 No there really cares about money anyway, because it's beautiful - paradise - and people just wanna enjoy the day, enjoy life! With my sister @heatherkuleana's help, over the years I’ve often quietly given cash, food, or whatever to local people in the areas that needed it. /2

In my experience with many InfoSec start-ups, ~25-50% of their sales leads originate from conference booths / sponsorships. Since those channels are now gone, they must shift most marketing efforts towards digital channels like mass email, webinars, and digital downloads. /1 This is way easier said than done. Start-ups will need to create substantially more attractive content draw attention. Gain people's attention will be 100x hard since every other business needs to do the same. And, the big guys already have massive mailing lists to leverage. /2

For many years I’ve owned a pair of 1964 Lincoln Continental’s. Hawaii is unkind to classic cars and they fell into disrepair. So in mid-Feb I shipped them to San Diego to begin a complete 6mo restoration process. I'll update this thread periodically with pics of the process. In the meantime, I of course needed something to drive. In the the most amazing bit of luck, at about the same time I found one of my bucket list cars — my unicorn after searching for 20+ years. A fully customized 1950 Mercury, black with flames. It’s like a real-life hotwheel.

While some may disagree, the approach of the U.S. education system is vocational in nature — job training. The challenge is the types of [good] jobs graduates will apply for upon graduation don’t yet while they go through school. /1 Today, long-term vocational training runs the risk of preparing people for a particular job that could easily disappear due to fast moving innovation and automation upon graduation. /2

When it comes to the news, I value the credibility of particular journalists far above the credibility of the publication. Especially in mainstream media. For example, I read/follow @nicoleperlroth and not the NYT. I read/follow @dangoodin001 and not Ars. @SteveD3 and not CSO. /1 @nicoleperlroth @dangoodin001 @SteveD3 In my experience, just because an article has the logo of a large publication at the top, it doesn't mean the content is credible. But if the article is written by someone I find credible, then the content is likely also credible, and it doesn't matter to me who published it. /2

Thought: Next year, cyber-insurance carriers will see a notable increase in breach claims largely stemming from covid-19. The rationale being that a great many companies, and their IT shops, are moving fast to support a remote work force. /1 More mission-critial systems (and sensitive data) will be made exterally accessible to a vastly larger number of remote workers with untested processes. More endpoints = more attack surface. The faster IT moves, the more likely [security] mistakes will be made. /2

I tell ya what, after people spend several weeks working out of their home and NOT required to spend countless hours in cars / trains commuting, a great many WILL NOT want to go back to the way things were. As such, I for one welcome a world of increased efficiency, productivity, and quality of life. A world where business has broader access to talent and where workers have increased job opportunities. It’ll take time, but there is at least one silver lining in all of this madness.