< Back
Episode #
110

Coalition's Daniel Woods on What Cyber Insurance Claims Reveal About Security Controls

Daniel Woods, Principal Security Researcher, and his team at Coalition analyzed forensic reports across their 100,000-policyholder base and found 50% of ransomware incidents begin with VPN or firewall exploits. But here's the twist: 40-60% of those aren't vulnerability exploits at all, they're stolen credentials bypassing perimeter devices entirely. Organizations running Cisco ASA devices show 5x higher claim rates than peers, with similar patterns across Fortinet, SonicWall, and Citrix SSL VPNs. When threat actors do exploit vulnerabilities, they're scanning and deploying shells within 24-48 hours of public disclosure, making your 72-hour patch SLAs dangerously obsolete.

Daniel also surfaces the gap between security control theory and organizational reality. Microsoft claims 99.9% MFA effectiveness for individual Azure accounts, but insurance claims data shows no measurable risk reduction at the organizational level because that one service account without MFA, that legacy API integration nobody knew was enabled, or that exec who refused to enroll gives attackers everything they need. Organizations deploying threat-based training focused on social engineering tactics beyond phishing see measurably lower claim rates, suggesting we've been training for the wrong threat surface.

Topics discussed:

  • Analyzing cyber insurance claims data from 100,000 policyholders to identify which security controls actually reduce incident rates
  • Understanding why perimeter security devices like Cisco ASA, Fortinet, and SonicWall VPNs show 5x higher claim rates in insurance data
  • Examining the 40-60% of edge device breaches caused by stolen credentials rather than vulnerability exploits
  • Closing the gap between Microsoft's 99.9% individual MFA effectiveness claims and zero measurable organizational risk reduction
  • Revealing security awareness training effectiveness through a study showing 2% phishing failure reduction versus threat-based training 
  • Comparing email security platforms where Google Workspace shows lower claims rates than Office365 due to included-by-default security features
  • Implementing a zero-day alert service that notifies policyholders within hours when vulnerable perimeter devices need immediate patching
  • Rethinking security awareness training as role-specific, finite courses targeting job risks rather than repetitive generic phishing exercises

Key Takeaways: 

  • Audit your external perimeter for exposed Cisco ASA, Fortinet, SonicWall, and Citrix SSL VPN devices.
  • Implement hardware-based MFA enforcement across all services including legacy APIs and service accounts to close credential theft gaps.
  • Reduce patch SLAs from 72 hours to under 24 hours since threat actors scan and deploy shells within 24-48 hours of vulnerability disclosure.
  • Migrate email infrastructure to cloud-hosted platforms like Google Workspace that include security features by default.
  • Replace repetitive generic phishing training with role-specific threat-based courses focused on social engineering tactics.
  • Scan your policyholder or customer base for vulnerable perimeter devices using external scanning services to notify before exploits occur.
  • Build identity management architecture around centralized services with hardware token enforcement.
  • Evaluate security control effectiveness using multiple data sources rather than vendor claims alone.

Listen to more episodes: 

Apple 

Spotify 

YouTube

Website