Cyber Insurance Questions & Answers

Please provide details on whether you have a Security Operations Center (SOC) that is responsible for event monitoring, detection, and incident response. Please include details on the hours of operation and whether this is an internal function or outsourced to a third party.

SOC Definition: Security Operations Center (SOC) is an information security team responsible for monitoring and analyzing an organization’s security posture on an ongoing basis. The SOC team’s goal is to detect, analyze and respond to cybersecurity incidents using a combination of technology solutions and a strong set of processes. SOCs can be internal and run by the organization themselves or outsourced to a third party.

Suggested Response: Blumira provides us with automated security operations via their SIEM platform as well as a 24×7 Security Operations team for event monitoring and detection as well as guided incident response. The Blumira platform analyzes the data it receives and detects threats, operational risks, and suspicious behavior for our organization. The platform also provides remediation process guidance to help us respond to incidents. The Blumira Customer Success team reviews our security posture with us on an ongoing basis and the Blumira Security Operations (SecOps) team is available 24/7 for urgent incident response support.

Does the applicant have Advanced Threat Protection settings enabled on their network?

We have Advanced Threat Protection enabled via <insert EDR name> and collect additional EDR-based telemetry via Blumira Agent. This allows us to identify threat behaviors ahead of proper AV signatures and track any potentially negative behaviors by internal IT teams within the organization. We also have our firewall logs sent to Blumira for event monitoring and advanced threat protection.

All data sent to Blumira is kept for 1 year and the Blumira Security Operations (SecOps) team is available 24/7 for urgent guided incident response support.

Note – If you use Blumira’s Dynamic Blocklist feature and have it configured in your firewalls, this would be a good place to mention it for the automated blocking of bad IPs based on numerous threat intelligence feeds.

Do you have inbound and outbound firewall / IPS configurations with log retention?

Yes, we send our firewall logs with IPS enabled to Blumira for both directions as well as internally-routed segments that pass through their respective firewalls. Blumira stores these logs for 1 year and performs ongoing threat feed and data analysis on these logs to ensure that threats missed by the IPS are identified. Additionally, we use Blumira to look for large transfers in and out of the environment across the firewall. If necessary, Blumira’s Security Operations (SecOps) team is available 24/7 for urgent guided incident response support.

Please provide details on how you protect privileged user accounts (e.g. using privileged access management solutions, restricting privileged user accounts to specific devices, enhanced monitoring of accounts for anomalous usage, multi-factor authentication enabled for remote access etc).

Blumira monitors the modification of all IAM within our environments (e.g., on-prem Active Directory, firewall management, Microsoft 365, and Azure). Blumira alerts to the creation, modification, and potential attacks against these accounts such as password spraying or brute forcing. Blumira additionally allows us to enable louder alerts such as account lockouts and account reset patterns which our helpdesk uses to support our employees as needed. We also use Blumira to detect plaintext password files on hosts to ensure that user account passwords are not lost on the host.

All data sent to Blumira is kept for 1 year and Blumira’s Security Operations (SecOps) team is available 24/7 for urgent guided incident response support.

Please describe any additional steps your organization takes to detect and prevent ransomware attacks (e.g. segmentation of your network, additional software tools, external security services, etc.)

Blumira SIEM is in use to collect logs from all production systems, including Windows servers and workstations with Sysmon enabled, WAN firewalls, cloud-hosted Microsoft 365 email, and all other Microsoft 365 apps, and our MFA provider. This combined with their threat feed evaluation allows for us to be aware if a known-bad IP is attempting to attack us and block it by default. If an attacker is able to land within the environment, we use the Blumira platform to analyze our logs and detect all potential methods of early access. These alerts are sent to our MSP’s technical/security staff who triage and respond to alerts based on their priority level. All data sent to Blumira is kept for 1 year and is available for investigation and reporting. The Blumira Security Operations (SecOps) team is available 24/7 for urgent guided incident response support.

Please provide an overview of how your EDR product is monitored and managed (e.g. Internal IT team or outsourced to a third party).

Using the Blumira EDR agent, our Windows endpoint logs are sent to the Blumira detection and response platform which monitors and analyzes logs for suspicious or threat activity.

The platform notifies us when it detects anomalies and we follow playbook instructions on how to respond, including isolating the host if recommended to contain a threat on an endpoint, cutting off access to the rest of the network. Blumira incident detection engineers proactively manage detections, updating them to keep us protected from new vulnerabilities and exploits.

The Blumira security operations (SecOps) team provides 24/7 support for all critical priority issues and helps our IT provider with guided response, security advice, and investigation. If needed, they will work with an incident response team to help resolve any identified issues.

Does the applicant use a 24/7 staffed and managed Endpoint Detection and Response (EDR) for all endpoints? (If yes to EDR, please list provider in the comments).

We use the Blumira EDR agent paired with the Blumira automated detection and response platform to provide coverage for all of our Windows endpoints. The Blumira SecOps team provides 24/7 support and guided response for critical priority issues. Blumira incident detection engineers manage the platform’s detection rules, keeping them up to date to identify the latest vulnerabilities and exploits. Our team is notified of any endpoint threats, and we take action based on provided playbooks to investigate and respond promptly, including isolating the host if recommended to contain a threat on an endpoint, cutting off access to the rest of the network.

Do you use endpoint application isolation and containment technology on all endpoints? If yes, name your provider

We have the Blumira endpoint agent on all Windows devices. It provides endpoint isolation and containment technology, enabling us to isolate a host and cut off its network access (other than to Blumira, which continues collecting log data from the device for incident response) when the Blumira platform detects an endpoint threat.