Skip to content
    How Blumira Helps With

    Cyber Insurance Questions & Answers

    There are many types of insurance policies that ask questions about cybersecurity. These questions can be tough to answer if you have overlapping products and services. Blumira has captured many cyber insurance application questions so we can provide suggested answers for Blumira customers and partners. Be sure to update your answers based on the Blumira configuration you’re using and the state of your network security.

    Cyber Insurance Application Tips

    Remember, when filling out an insurance application:

    Data Insights
    Be honest

    Your answers need to be technically accurate for the point in time that the application is being filled out.

    Smart Automation
    Provide context

    Try to stay away from one-word answers and add any information  that could be helpful to the insurance carrier. Explain what you’re doing - or not doing - and why.

    Efficient
    Possible Risk Information

    Supply additional information for a complete picture of possible risk. For example, if there are two executives that refuse to turn on MFA for their email, disclose that on the application. That way, should they get phished in the future and it leads to a breach, the insurance company was aware of that risk when they agreed to bind your policy.

    Insurance Application Reference Questions and Suggested Responses

    Click on the top to see the full question and suggested response.

    • Security Information and Event Management System (SIEM)?

      Does the applicant use a Security Information and Event Management system (SIEM)?

      Yes. We use Blumira as our SIEM, which collects and analyzes log data for our organization. Blumira provides us with detections across data sent to them and has their own internal detection engineering team that tracks and stays up to date on all new vulnerabilities and methods of detection. If threats are identified, Blumira sends prioritized threat findings/alerts to our helpdesk with case management and playbooks built into each detected event so we always have a guided response. Additionally, Blumira provides the ability to generate reports, automated and ad hoc, for our compliance and internal visibility needs. All data sent to Blumira is kept for 1 year and Blumira’s Security Operations (SecOps) team is available 24/7 for urgent incident response support.

    • Security Operations Center (SOC)

      Please provide details on whether you have a Security Operations Center (SOC) that is responsible for event monitoring, detection, and incident response. Please include details on the hours of operation and whether this is an internal function or outsourced to a third party.

      SOC Definition: Security Operations Center (SOC) is an information security team responsible for monitoring and analyzing an organization’s security posture on an ongoing basis. The SOC team’s goal is to detect, analyze and respond to cybersecurity incidents using a combination of technology solutions and a strong set of processes. SOCs can be internal and run by the organization themselves or outsourced to a third party.

      Suggested Response: Blumira provides us with automated security operations via their SIEM platform as well as a 24×7 Security Operations team for event monitoring and detection as well as guided incident response. The Blumira platform analyzes the data it receives and detects threats, operational risks, and suspicious behavior for our organization. The platform also provides remediation process guidance to help us respond to incidents. The Blumira Customer Success team reviews our security posture with us on an ongoing basis and the Blumira Security Operations (SecOps) team is available 24/7 for urgent incident response support.

    • Advanced Threat Protection

      Does the applicant have Advanced Threat Protection settings enabled on their network?

      We have Advanced Threat Protection enabled via <insert EDR name> and collect additional EDR-based telemetry via Blumira Agent. This allows us to identify threat behaviors ahead of proper AV signatures and track any potentially negative behaviors by internal IT teams within the organization. We also have our firewall logs sent to Blumira for event monitoring and advanced threat protection.

      All data sent to Blumira is kept for 1 year and the Blumira Security Operations (SecOps) team is available 24/7 for urgent guided incident response support.

      Note – If you use Blumira’s Dynamic Blocklist feature and have it configured in your firewalls, this would be a good place to mention it for the automated blocking of bad IPs based on numerous threat intelligence feeds.

    • Firewall / IPS Configurations with Log Retention?

      Do you have inbound and outbound firewall / IPS configurations with log retention?

      Yes, we send our firewall logs with IPS enabled to Blumira for both directions as well as internally-routed segments that pass through their respective firewalls. Blumira stores these logs for 1 year and performs ongoing threat feed and data analysis on these logs to ensure that threats missed by the IPS are identified. Additionally, we use Blumira to look for large transfers in and out of the environment across the firewall. If necessary, Blumira’s Security Operations (SecOps) team is available 24/7 for urgent guided incident response support.

    Does the applicant use a Security Information and Event Management system (SIEM)?

    Yes. We use Blumira as our SIEM, which collects and analyzes log data for our organization. Blumira provides us with detections across data sent to them and has their own internal detection engineering team that tracks and stays up to date on all new vulnerabilities and methods of detection. If threats are identified, Blumira sends prioritized threat findings/alerts to our helpdesk with case management and playbooks built into each detected event so we always have a guided response. Additionally, Blumira provides the ability to generate reports, automated and ad hoc, for our compliance and internal visibility needs. All data sent to Blumira is kept for 1 year and Blumira’s Security Operations (SecOps) team is available 24/7 for urgent incident response support.

    Please provide details on whether you have a Security Operations Center (SOC) that is responsible for event monitoring, detection, and incident response. Please include details on the hours of operation and whether this is an internal function or outsourced to a third party.

    SOC Definition: Security Operations Center (SOC) is an information security team responsible for monitoring and analyzing an organization’s security posture on an ongoing basis. The SOC team’s goal is to detect, analyze and respond to cybersecurity incidents using a combination of technology solutions and a strong set of processes. SOCs can be internal and run by the organization themselves or outsourced to a third party.

    Suggested Response: Blumira provides us with automated security operations via their SIEM platform as well as a 24×7 Security Operations team for event monitoring and detection as well as guided incident response. The Blumira platform analyzes the data it receives and detects threats, operational risks, and suspicious behavior for our organization. The platform also provides remediation process guidance to help us respond to incidents. The Blumira Customer Success team reviews our security posture with us on an ongoing basis and the Blumira Security Operations (SecOps) team is available 24/7 for urgent incident response support.

    Does the applicant have Advanced Threat Protection settings enabled on their network?

    We have Advanced Threat Protection enabled via <insert EDR name> and collect additional EDR-based telemetry via Blumira Agent. This allows us to identify threat behaviors ahead of proper AV signatures and track any potentially negative behaviors by internal IT teams within the organization. We also have our firewall logs sent to Blumira for event monitoring and advanced threat protection.

    All data sent to Blumira is kept for 1 year and the Blumira Security Operations (SecOps) team is available 24/7 for urgent guided incident response support.

    Note – If you use Blumira’s Dynamic Blocklist feature and have it configured in your firewalls, this would be a good place to mention it for the automated blocking of bad IPs based on numerous threat intelligence feeds.

    Do you have inbound and outbound firewall / IPS configurations with log retention?

    Yes, we send our firewall logs with IPS enabled to Blumira for both directions as well as internally-routed segments that pass through their respective firewalls. Blumira stores these logs for 1 year and performs ongoing threat feed and data analysis on these logs to ensure that threats missed by the IPS are identified. Additionally, we use Blumira to look for large transfers in and out of the environment across the firewall. If necessary, Blumira’s Security Operations (SecOps) team is available 24/7 for urgent guided incident response support.

    • 24/7 Network Monitoring

      Do you use a network monitoring solution to alert your organization to suspicious activity or malicious behavior on your network and is it monitored 24/7?

      We use Blumira for all network monitoring to determine if suspicious activity or malicious behavior occurs, and Blumira provides 24×7 support for their Security Operations team to our internal IT team. If a high priority alert is triggered, we are called, texted, and emailed so we can follow remediation guidance provided by Blumira. If additional support is required, we can speak to the Blumira Security Operations team within 1 hour. All data sent to Blumira is kept for 1 year.

    • Protect Privileged User Accounts

      Please provide details on how you protect privileged user accounts (e.g. using privileged access management solutions, restricting privileged user accounts to specific devices, enhanced monitoring of accounts for anomalous usage, multi-factor authentication enabled for remote access etc).

      Blumira monitors the modification of all IAM within our environments (e.g., on-prem Active Directory, firewall management, Microsoft 365, and Azure). Blumira alerts to the creation, modification, and potential attacks against these accounts such as password spraying or brute forcing. Blumira additionally allows us to enable louder alerts such as account lockouts and account reset patterns which our helpdesk uses to support our employees as needed. We also use Blumira to detect plaintext password files on hosts to ensure that user account passwords are not lost on the host.

      All data sent to Blumira is kept for 1 year and Blumira’s Security Operations (SecOps) team is available 24/7 for urgent guided incident response support.

    • Additional Steps to Detect and Prevent Ransomware Attacks

      Please describe any additional steps your organization takes to detect and prevent ransomware attacks (e.g. segmentation of your network, additional software tools, external security services, etc.)

      Blumira SIEM is in use to collect logs from all production systems, including Windows servers and workstations with Sysmon enabled, WAN firewalls, cloud-hosted Microsoft 365 email, and all other Microsoft 365 apps, and our MFA provider. This combined with their threat feed evaluation allows for us to be aware if a known-bad IP is attempting to attack us and block it by default. If an attacker is able to land within the environment, we use the Blumira platform to analyze our logs and detect all potential methods of early access. These alerts are sent to our MSP’s technical/security staff who triage and respond to alerts based on their priority level. All data sent to Blumira is kept for 1 year and is available for investigation and reporting. The Blumira Security Operations (SecOps) team is available 24/7 for urgent guided incident response support.

    Do you use a network monitoring solution to alert your organization to suspicious activity or malicious behavior on your network and is it monitored 24/7?

    We use Blumira for all network monitoring to determine if suspicious activity or malicious behavior occurs, and Blumira provides 24×7 support for their Security Operations team to our internal IT team. If a high priority alert is triggered, we are called, texted, and emailed so we can follow remediation guidance provided by Blumira. If additional support is required, we can speak to the Blumira Security Operations team within 1 hour. All data sent to Blumira is kept for 1 year.

    Please provide details on how you protect privileged user accounts (e.g. using privileged access management solutions, restricting privileged user accounts to specific devices, enhanced monitoring of accounts for anomalous usage, multi-factor authentication enabled for remote access etc).

    Blumira monitors the modification of all IAM within our environments (e.g., on-prem Active Directory, firewall management, Microsoft 365, and Azure). Blumira alerts to the creation, modification, and potential attacks against these accounts such as password spraying or brute forcing. Blumira additionally allows us to enable louder alerts such as account lockouts and account reset patterns which our helpdesk uses to support our employees as needed. We also use Blumira to detect plaintext password files on hosts to ensure that user account passwords are not lost on the host.

    All data sent to Blumira is kept for 1 year and Blumira’s Security Operations (SecOps) team is available 24/7 for urgent guided incident response support.

    Please describe any additional steps your organization takes to detect and prevent ransomware attacks (e.g. segmentation of your network, additional software tools, external security services, etc.)

    Blumira SIEM is in use to collect logs from all production systems, including Windows servers and workstations with Sysmon enabled, WAN firewalls, cloud-hosted Microsoft 365 email, and all other Microsoft 365 apps, and our MFA provider. This combined with their threat feed evaluation allows for us to be aware if a known-bad IP is attempting to attack us and block it by default. If an attacker is able to land within the environment, we use the Blumira platform to analyze our logs and detect all potential methods of early access. These alerts are sent to our MSP’s technical/security staff who triage and respond to alerts based on their priority level. All data sent to Blumira is kept for 1 year and is available for investigation and reporting. The Blumira Security Operations (SecOps) team is available 24/7 for urgent guided incident response support.

    • Endpoint Detection and Response (EDR) and Next-Generation Antivirus (NGAV)

      Does the applicant use Endpoint Detection and Response (EDR) or a Next-Generation Antivirus (NGAV) software (e.g., CrowdStrike, Cylance, Carbon Black) to secure all system endpoints?

      We use the Blumira EDR agent. which provides endpoint detection and response for Windows endpoints. The agent sends logs to the Blumira platform for near real-time detection and the Blumira platform provides playbooks for guided response. The agent also gives us the ability to isolate hosts in order to contain a threat detected on an endpoint. Detections are created and managed by the Blumira SecOps team who are also available 24/7 to help us with critical incidents should the need arise.

    • EDR Monitoring and Management

      Please provide an overview of how your EDR product is monitored and managed (e.g. Internal IT team or outsourced to a third party).

      Using the Blumira EDR agent, our Windows endpoint logs are sent to the Blumira detection and response platform which monitors and analyzes logs for suspicious or threat activity.

      The platform notifies us when it detects anomalies and we follow playbook instructions on how to respond, including isolating the host if recommended to contain a threat on an endpoint, cutting off access to the rest of the network. Blumira incident detection engineers proactively manage detections, updating them to keep us protected from new vulnerabilities and exploits.

      The Blumira security operations (SecOps) team provides 24/7 support for all critical priority issues and helps our IT provider with guided response, security advice, and investigation. If needed, they will work with an incident response team to help resolve any identified issues.

    • 24/7 Staffed and Managed Endpoint Detection and Response (EDR)

      Does the applicant use a 24/7 staffed and managed Endpoint Detection and Response (EDR) for all endpoints? (If yes to EDR, please list provider in the comments).

      We use the Blumira EDR agent paired with the Blumira automated detection and response platform to provide coverage for all of our Windows endpoints. The Blumira SecOps team provides 24/7 support and guided response for critical priority issues. Blumira incident detection engineers manage the platform’s detection rules, keeping them up to date to identify the latest vulnerabilities and exploits. Our team is notified of any endpoint threats, and we take action based on provided playbooks to investigate and respond promptly, including isolating the host if recommended to contain a threat on an endpoint, cutting off access to the rest of the network.

    • Endpoint Application Isolation and Containment Technology

      Do you use endpoint application isolation and containment technology on all endpoints? If yes, name your provider

      We have the Blumira endpoint agent on all Windows devices. It provides endpoint isolation and containment technology, enabling us to isolate a host and cut off its network access (other than to Blumira, which continues collecting log data from the device for incident response) when the Blumira platform detects an endpoint threat.

    Does the applicant use Endpoint Detection and Response (EDR) or a Next-Generation Antivirus (NGAV) software (e.g., CrowdStrike, Cylance, Carbon Black) to secure all system endpoints?

    We use the Blumira EDR agent. which provides endpoint detection and response for Windows endpoints. The agent sends logs to the Blumira platform for near real-time detection and the Blumira platform provides playbooks for guided response. The agent also gives us the ability to isolate hosts in order to contain a threat detected on an endpoint. Detections are created and managed by the Blumira SecOps team who are also available 24/7 to help us with critical incidents should the need arise.

    Please provide an overview of how your EDR product is monitored and managed (e.g. Internal IT team or outsourced to a third party).

    Using the Blumira EDR agent, our Windows endpoint logs are sent to the Blumira detection and response platform which monitors and analyzes logs for suspicious or threat activity.

    The platform notifies us when it detects anomalies and we follow playbook instructions on how to respond, including isolating the host if recommended to contain a threat on an endpoint, cutting off access to the rest of the network. Blumira incident detection engineers proactively manage detections, updating them to keep us protected from new vulnerabilities and exploits.

    The Blumira security operations (SecOps) team provides 24/7 support for all critical priority issues and helps our IT provider with guided response, security advice, and investigation. If needed, they will work with an incident response team to help resolve any identified issues.

    Does the applicant use a 24/7 staffed and managed Endpoint Detection and Response (EDR) for all endpoints? (If yes to EDR, please list provider in the comments).

    We use the Blumira EDR agent paired with the Blumira automated detection and response platform to provide coverage for all of our Windows endpoints. The Blumira SecOps team provides 24/7 support and guided response for critical priority issues. Blumira incident detection engineers manage the platform’s detection rules, keeping them up to date to identify the latest vulnerabilities and exploits. Our team is notified of any endpoint threats, and we take action based on provided playbooks to investigate and respond promptly, including isolating the host if recommended to contain a threat on an endpoint, cutting off access to the rest of the network.

    Do you use endpoint application isolation and containment technology on all endpoints? If yes, name your provider

    We have the Blumira endpoint agent on all Windows devices. It provides endpoint isolation and containment technology, enabling us to isolate a host and cut off its network access (other than to Blumira, which continues collecting log data from the device for incident response) when the Blumira platform detects an endpoint threat.

    FS_TBG_Logo_Dark_White_BGSPECIAL OFFER FROM OUR PARTNER
    20% Off Admin Costs
    for Blumira Clients

    Founder Shield is a risk management partner for high-growth companies across emerging markets, striving to create the most seamless, intuitive, and responsive insurance-purchasing experience powered by proprietary technology and insurance products. 

    We craft insurance solutions as unique as your vision. Forget a transactional approach. Our risk advisors, industry veterans with you every step of the way, understand the digital age's specific challenges for your business. We leverage technology for a smooth experience and provide unwavering support. Focus on what matters most — protecting the possible.

    Learn More About Founder Shield ->

    Get Started for Free

    Experience the Blumira Free SIEM, with automated detection and response and compliance reports for 3 cloud connectors, forever.