The Insurance Data Security Model Law, approved by the National Association of Insurance Commissioners (NAIC) in October 2017, establishes a base standard of data security for insurers and other licensees of insurance departments. The slim, 18-page framework (PDF) is the NAIC response to concerns around cybersecurity and was a mammoth effort, both in achieving such a succinct consensus and partnering with NYDFS Cybersecurity Regulation stakeholders.
The model law is stricter than most—licensees are required to develop, implement, and maintain a comprehensive, written Information Security Program and designate someone to be responsible. Other key elements include regular testing, board-level buy-in and involvement, incident response plans, and specific breach notification procedures. Overall, we like that the framework suggests a modern approach to detecting and responding to threats. In this post, let’s look at a few interesting requirements and share how we can partner with your team across people, process, and technology.
Access controls and user authentication
MDL-668.PDF gets right down to business—by the end of page 4, you’ll know that InfoSec is mandated to “place access controls on information systems”—this includes preventing unauthorized users from accessing confidential information. A base challenge here is visibility, which isn’t helped by the fact that modern networks span remote workers and cloud infrastructure.
In our new research report, called "Under the Hoodie," we explore the major ways our professional pen testers are able to breach networks to uncover actionable security gaps for our clients to secure. In this report, we shared the three facets our team consistently attack to gain control of networks:
Therefore, our approach to detecting compromise starts by collecting the right data from your assets, users, and services. Our threat detection-focused SIEM, InsightIDR, collects and analyzes log and event data from your environment—including real-time endpoint data—to detect all of the top attack vectors behind breaches.
Detect actual and attempted attacks; keep an audit trail
Detecting penetration testers over a structured one-week engagement isn’t easy: Our red team went undetected 61% in this year’s research. While many organizations have invested in detecting malware on the endpoint, it’s just as important to have visibility into user behavior. Once an adversary has internal access to a network, the next steps in the attack chain are to steal a privileged credential and laterally move across the network. If you aren’t logging authentications happening across your Active Directory, cloud services, and assets, then it’s a tough order to detect account impersonation or malicious lateral movement.
Modern SIEMs like InsightIDR combine log management with user behavior analytics, which means once you set up the data connections, you get real-time insights into user behavior along with a searchable audit trail.
Internal process for responding to a cybersecurity event
Technology can be essential to detecting threats, but your team will need to take action on the results. In the model law, it’s listed under 4H: Incident Response Plan: “Each Licensee shall establish a written incident response plan designed to promptly respond to, and recover from, any Cybersecurity Event...”
If you’re tackling writing or updating your plan, check out our guide, "Prepare for Battle: Building an Incident Response Plan." Unlike traditional MSSP offerings, we want to provide security expertise in the areas where you need it the most. That can range from assessing your current security maturity, providing you with an incident response retainer, or providing full-cycle detection and response with our managed detection and response services.
This section also reiterates the requirement to document and report on all events, both around threats and response actions. This is where investment in SIEM over log management pays dividends, as built-in incident investigation workflows and compliance dashboards make your program scalable and keep your analysts out of tedious, low-value work.
Meeting a broad range of requirements in one
The good news is, many of the seemingly diverse requirements of the model law can be met while investing in incident detection and response. If you have a sustainable set of people, processes, and technology that consistently reduce risk across vulnerabilities, misconfigurations, and credentials—and have visibility into active exploitation in these categories—you’re in great shape.
Therein comes the biggest advantage of partnering with Rapid7: our constant research of the attacker. At Rapid7, we’re continuously curating, analyzing, and validating threat intelligence across our research, customers, and community (did you catch our amazing Metasploit tee at Defcon?). As we research tactics, techniques, and procedures from our pen testers, incident response teams, and our managed detection and response customers, we add new detections to InsightIDR. These analytics automatically apply against your data, giving you coverage backed by findings from our threat intel team.
If you’d like to give InsightIDR a spin to see not only how it can meet many Insurance Data Security Model Law requirements but help you find and respond to threats, sign up for a free 30-day trial.