[balgan]

Director of Engineering - Security from Coalition here (we participated in the event) - We committed to building more free security tools for all organisations to protect themselves. We’ve already made Coalition Control our Attack Surface discovery and monitoring platform free (https://control.coalitioninc.com) and we will continue to add more features and more tools for free there. If there are any questions,I am happy to answer them!

[joe_the_user]

What kind of create standards could you create?

Some thoughts:

1) Certain infrastructure should be off the net automatically - pipelines, water treatment plants and similar things (or online with hardware guaranteed one ways connections).

2) Standards for testing backups.

3) Standards for IoS devices (a million insecure Internet light bulbs, what could possibly go wrong).

4) Standards for not having a hundred companies auto-updating onto the systems of critical infrastructure companies.

[balgan]

The great thing about insurance is that we don't just get to create baselines our policyholders must adhere to, we also get to enforce them. A perfect example of this is anyone that has a policy with us must have RDP behind VPN/ whitelisted only to specific IPs. I spent years trying for free to convince orgs to do this and was ignored, here we convince all our policyholders to do it and everyday more and more companies as we onboard them.

For backups, not only do they need to have it, they need to be tested, kept offline and encrypted - this doesnt apply to all its split by revenue bands/industry/mix of other logic.

IoT devices - they get notified in Control if we find any on the internet and told to not have them directly exposed

[balgan]

The same thing we do with RDP we also do with any critical vulnerability we notify customers in Control (example all of the latest Exchange vulns)

[smu]

Thanks balgan!

* Do you know if there are any follow up meetings planned? Did they discuss some kind of process?

* what were the main concerns discussed?

* interesting to find out about the coalition (I was briefly involved in a similar insurance setup in my home country). Is your ‘baseline’ derived from some standard? Can I find it online?

[balgan]

Hey

Yes the group will continue to meet and I believe more will come out overtime as we start to better define how we as private entities can help the gov.

Ransomware and attacks on critical infra were the big ones - Joshua our CEO wrote a bit about it here https://www.coalitioninc.com/blog/coalition-meets-with-presi...

- our baseline is internal. We are with our customers end to end. From selling the policy to scanning them, notifying them and we have our own incident response team which means that we learn a lot with every claim. So when we add a vulnerability in critical state in Control you can assume it came from learnings of losses combined with our cybersecurity expertise.

[smu]

Nice feedback loop you have there! (re last point). If you can point to the actual proven ‘indicators of risk’ instead of flagging every potential issue onder the sun, everyone is going to love you!

I look forward to a summary report on incidents somewhere in the future ;)