Preventing breaches: How Coalition helped customers get ahead of MS Exchange vulnerabilities
Picture it: The Microsoft Security Response Center Blog, March 2, 2021. An article is posted detailing vulnerabilities in Microsoft Exchange (a popular email, calendar, and contact platform), and details of the vulnerabilities being actively exploited by Chinese nation-state actors soon followed.
The vulnerabilities were so severe that it was possible to completely compromise an Exchange server, giving an attacker access to all emails and a foothold inside the network to compromise other resources.
Coalition’s ability to pinpoint cyber risks that affect our policyholders and offer dedicated support is unique in the industry. The numbers demonstrate how we not only insure against cyber risk but prevent it in the first place!
The story
This situation is what’s known as a zero-day, where a vulnerability is disclosed before a fix is available. Microsoft had been alerted to the presence of the vulnerabilities before March 2, but needed time to write and test a software patch. Unfortunately, the vulnerability was exploited before a patch was available, but publicly disclosing the vulnerability before a patch would not have achieved any positive outcomes.
The Exchange server software can be run in a cloud environment like Microsoft 365, which was not affected by the vulnerabilities, or by an organization using their own servers, called on-premises (which was vulnerable). This meant that some of our policyholders had already been compromised, so our scanning and alerts were, unfortunately, the event that caused them to discover a breach. Once those breaches were detected, our Claims and Coalition Incident Response (CIR) team sprang to action to help investigate, recover, and restore.
This entire process of enumerating policyholders that were vulnerable, scanning them, and notifying them within a day was possible due to our attack surface monitoring (ASM) platform.
Policyholders who had not been breached, but were vulnerable, benefited from Coalition’s continuous monitoring and alerting. Since the fix was released outside Microsoft’s normal schedule of Patch Tuesday, administrators might have missed the availability of the patches, leaving them exposed. Many policyholders who outsource their IT weren’t aware of vulnerability at all, so ensuring their IT service provider was on top of the situation was critical.
By the numbers Timeline
March 2 - Microsoft discloses the vulnerabilities, shares information about active exploitation, and provides patches. March 3-5 - Coalition identifies nearly 1,000 policyholders who might be affected and sends an alert. Where needed, we engaged our broker partners to track down policyholder contact information to ensure the message got through. March 3 - April 2 - Coalition Incident Response and Customer Security teams partner with insureds to help them install and verify the fixes.
Stats
5% of Coalition’s insureds were vulnerable
98% of insureds have remediated the vulnerability
1,500+ customer interactions to provide support and assistance
Our philosophy
At Coalition, we believe in the alignment of risk incentives — we seek to minimize risks we take on and help our policyholders reduce the risks that can lead to a security incident.
We are happy to engage our claims and incident response support, but if we can help a policyholder avoid an incident, that’s a win all around because that incident is a bad day for the insured and their business.
Our efforts to prevent “cybersecurity bad days” for this Exchange vulnerability included:
Policyholder support to identify coverages in case a claim was needed.
Proactive scanning and notification to potentially impacted policyholders.
Technical support from our team to navigate the labyrinthine patching process. There were at least four “official” methods to remediate the vulnerability (seriously), and the process is fraught with potential false positives that give the impression you’re protected when you’re still vulnerable.
Vigilance + speed
Effective cybersecurity relies on two core principles: vigilance and speed. Technology vulnerabilities are being continuously disclosed (including a new set of Exchange vulnerabilities revealed in April 2021), so it’s critical to maintain an accurate inventory of tools and platforms you use and ensure patches are installed promptly. The speed of responding is also critically important since attackers are using automated tools and moving quickly.
Vulnerabilities are a fact of life when using technology, but the good news is you don’t have to go it alone. A partner like Coalition can help you identify and fix risks before they happen, and we are there to help you if the worst should happen. Get in touch with Coalition today.