Sergey Nivens - Fotolia
There are no guarantees when it comes to infosec technology, but more companies today are exploring the concept of a cyber warranty for their products.
One such security vendor, SentinelOne Inc., has established itself as one of the pioneers in the burgeoning cyber warranty market. Last year, the company established a ransomware warranty on its Endpoint Protection Platform (EPP) worth up to $1 million. If a customer using EPP to defend against ransomware gets infected with WannaCry or another ransomware variant, SentinelOne cuts a very expensive check to the company.
Jeremiah Grossman, chief of security strategy at SentinelOne, talked with SearchSecurity at Black Hat 2017 about the company's threat protection guarantee and where it stands today. He also talked about the challenges of developing a cyber warranty, as well as the benefits of having one, and how it compares to the growing cyberinsurance market. Here is part one of the conversation with Grossman.
How does EPP work, and why did you decide to develop a cyber warranty for it?
Jeremiah Grossman: SentinelOne, as Gartner classifies this space, is next-generation endpoint protection. The way we deploy it is we put an agent at all the endpoints. You control it via the cloud, and we stop malware from infecting you.
Our secret sauce is that we have machine learning and behavioral analysis; if something looks malicious, rather than being identified by known signatures as malicious, we can stop it.
I was brought into the company for two reasons. One was to focus on ransomware. I was looking at it three or four years ago because all the stars aligned for this to be the next billion-dollar cybercrime market.
And second, when we enter in such a crowded space ... you have to differentiate between 60 other players all saying their products work and the rest don't. So we differentiated by designing a product warranty; our ransomware warranty is built around [SentinelOne EPP] because I have a special skill set having done that many times before.
So, at this time last year, I gave a presentation at Black Hat. There were four vendors that had a warranty; now, there are 18.
A cyber warranty must have been a hard sell at first. What was that conversation like?
Grossman: Everybody said I was crazy. Everybody said, 'No one will ever do that.' But when you work out the math and all of the objections, you can do it. I really do generally encourage every other vendor, including our competitors, to do it, and I'll teach them how, if they like.
You need to do two things. You need to know statistically how well your product works. For example, our product, in terms of ransomware, has a less than 1% failure rate over a given year.
You've got to model your losses. In the event that you fail, what's the loss? And then you have to reinsure it. That's the critical part.
Reinsurance on a security product warranty ends up being, in my experience, $20,000 to $25,000 or less per year, not per customer, for a lot of customers. When you get over all the excuses, you can do this. I wouldn't have come to SentinelOne unless they gave me the opportunity to design a warranty, which is the first ever of its kind in this space.
Now, it's all well and good to offer a warranty, but what happens when you [undergo] trial by fire? The bottom line is, this year, there were no claims and no payouts, even in context of WannaCry and NotPetya. We had two large-scale ransomware outbreaks that were viral in nature. In each one, I lost a week in my life, but imagine our incentives -- we have millions in liability outstanding, and we have to get on this outbreak right now. Customers like that.
We had no reports of infection, no claims and no payouts in each case. When you have a product that works, you'll be okay. You might suffer anxiety, but the customers will be good.
It sounds stressful, but at the same time, you must be thinking if you can get through these ransomware outbreaks, then that's going to do wonders for the appeal of your cyber warranty.
Grossman: The appeal is cool from a dollars-and-cents standpoint. First, it gives the customer a sense of confidence that you're not just selling them a line. We're putting our money where our mouth is. The customers don't want to get hacked and we really, really don't want them to get hacked.
And the second thing is a $1 million warranty is a good token gesture, but when the average losses on a breach for the midscale are between $3 million and $7 million, then that warranty has to go up. It's not like we drew this line at $1 million and we're done now; we're going to increase the things we trigger on -- not just ransomware, the level of payouts and what we pay out on. So we'll do v2 of our warranty.
How hard was it to figure out those thresholds and limits for what triggers the warranty?
Grossman: Those are really hard numbers to get. We do it like cyberinsurance does it. There are hard costs and there are soft costs. Hard costs will be downtime, incident response, fines, legal fees and things like that.
No one covers the soft costs, like reputation [damage]. Cyberinsurance doesn't, and we don't either. No one really knows how to measure soft costs.
That seems like something customers are going to ask for.
Grossman: They can ask all they want. I'll give you two ends of that conversation. Let's say Target had a breach, and their stock takes a momentary loss, and then they recover. Everybody's stock recovers.
The other side of that is that there's a term called indirect hard loss. Let's use Target as an example again; even though the company has been made whole, you can take a statistical average of a customer that transacts, let's say, $100 a year at Target. The customer that got hacked [at] Target isn't going to go away, but maybe they transact $50 a year going forward instead of $100.
So that $50 is your indirect hard loss. That's the one everybody has to calculate, but you can only calculate it internally if you know the numbers. And that's going to be a hard cost to even equate to reputational damage. We don't have those numbers in the industry right now.
And you haven't had any claims and any payouts?
Grossman: None that I'm aware of. I helped design about half the warranties, so I'm familiar with them. And it's kind of a biased sampling for two reasons.
One is only the companies that have really, really good products are going to offer a warranty. And two, the warranties have only been around a year or two, and sales haven't fully ramped up yet, so the sample size is still relatively small.
Have you had customers try to wiggle out of the parameters of the warranty and say things like 'Well, I didn't get hit by ransomware, but I had this happen'?
Grossman: No. Maybe it will happen if we have double or triple the number of customers. But the terms are pretty specific. There's not a lot of equivocation.
In cyberinsurance, they have that happen all the time. There was a case -- I don't remember the company name -- where the victim had cyberinsurance. There was a spear phishing attack and [the threat actor] said, 'I am the CFO, please wire money to this Chinese bank account.'
The money got sent, and the company wanted to make a cyberinsurance claim, but the carrier said, 'No,' on the basis that that wasn't a hack. That's social engineering. That's not security. Those are the kinds of conversations that happen.
Phishing and social engineering attacks are pretty common. Do they present a loophole, then, for cyberinsurance?
Grossman: I don't know if it's a loophole. A lot of times, attackers use phishing to plant malware. But this case was just an attacker pretending to be somebody else. There was no malware.
If the policy said, 'We'll cover that kind of social engineering attack,' then great, it's covered. But, in this case, it didn't. The policy was protecting against a breach.
Stay tuned for part two of the interview with Jeremiah Grossman of SentinelOne.
Read more on how NotPetya ransomware lived off the land
Find out what you should know about building threat intelligence teams
Discover how ransomware shifted to destruction-of-service attacks