For this next installment of Cybersecurity Spotlight, I chatted with Matt Ahrens, a security engineer for Coalition, which provides comprehensive cybersecurity insurance coverage and tools to small- and medium-sized businesses.
Matt traces the genesis of his passion for security back to when he volunteered to help a teacher build and manage a lab of Linux computers at his high school. He wasn’t paid for his work then – and didn’t much care. As a professional, he spent more than a decade doing penetration testing, digital forensics, and IT operations before helping to start a forensics firm in 2015. Now based in Arlington, Va., at Coalition, Matt applies his expertise to evaluate customers’ cybersecurity vulnerabilities, helping underwriters to assess risk and assign an insurance policy price. He also consults to customers on how to fix the vulnerabilities he finds.
How do you approach this largely unchartered territory of monetizing cyber risk and insuring a network?
There are actuarial tables that’ll tell you that you’re going to die at the age of 86 and if you’re in these categories your percentage goes up by this much, therefore this is how much we charge you for your life insurance. But there aren’t similar models from the cyber side. We’re trying to get some of that straight. I do think insurance is going to drive industry pretty heavily and push companies to apply better cyber security hygiene. There’s a lot more competition to Coalition than there was a few months ago. We’re looking at how we reduce the low-hanging fruit and provide cover for the major events. How do we take on the wide risks, not the narrow risks? What I mean by wide is the very common things. Like, what are three things some kid in Malaysia can scan the internet for and operationalize into cash? Not necessarily the targeted attack, that spear phishing attack that goes in with a Word document to get your credit card numbers. Those are not what I’m focused on right now. I’m really still focused on the basics.
“If you don’t understand what you’re working on, how it works, it’s very difficult to protect it.”
What do you care about the most in your job?
A lot of what I care about the most right now is maybe automating myself out of a job. In order for the business to work, I can’t be manually reviewing a lot of different companies. I have to have those business rules, that knowledge that I’m bringing inside of manual analysis, and taking that out to make it more automated. For example, when we find a version of a Drupal content management system that’s old, instead of doing a manual write up for that, we would simply click the button or the system would say, “It’s version X, it’s older than version Y, here are the procedures to take it up a notch.” It’s making sure that that’s all automated and simplifying that part of the job to build better models.
Thinking back, are you now where you thought you’d be?
Ten years ago, I’d have had no idea that I would be working for an insurance company. As many of the younger people are coming into industry now, I really think there’s a lot of focus on the offensive work, which I was similarly attracted to. I don’t necessarily think that people talk about the blue team and any of the defensive work as much. The investigative work in forensics and breach response is probably the most interesting. When I came on, I wanted to go break into people’s computers and break into networks. But I really pivoted off, widening my experience levels and seeing things more holistically.
What’s your opinion of the cybersecurity product market?
I think there’s a lot of FUD [fear, uncertainty, and doubt] sales. There’s a lot of products that are selling to the security one percenters – those really mature, big programs that can leverage those tools. But if you talk about where there’s a wide market, I think it’s more the traditional tools that almost every organization can use. And for these tools, like your next-gen firewalls or your web content filter—whatever the product is—I think delivery becomes of the utmost importance. Even if you are not the best technology, if you can deliver a polished, consistent, and reliable product, that is going to trump almost everything else in the market. Just the way things look and feel can make a big difference.
“A lot of what I care about the most right now is maybe automating myself out of a job.”
What’s a big misconception about people in cybersecurity, and how do you work to overcome it?
I’d say this is the biggest one: The security person never says yes, always says no. How I try to combat that is I try to avoid saying no but I try to suggest a more secure path. So, for example, if I find something like a company using remote desktop on the internet, I don’t want to tell them to disable remote desktop completely, I want to tell them to secure it in a better way. And maybe that is enabling stronger authentication to prevent brute force or credential stuffing attacks. Or maybe that is writing firewall rules to limit access to known IP addresses. The basic gist of it is that you can still have something risky as long as you’ve applied some mitigating controls to reduce the risk. It’s a method I’ve tried to use throughout my career.
What advice do you have for others looking to get into the cybersecurity field?
I often times like to see new people breaking into cyber security—if they don’t have the right experience set or technical skills—starting off in a security operations center. You get a deep understanding of how a company’s systems operate and act as the security center for the organization. Also, understanding technology and understanding the core functions of IT are very good basis points for making a security professional. If you don’t understand what you’re working on, how it works, it’s very difficult to protect it. And obviously all the functional pieces, like, what’s the difference between caching and encryption. The biggest focus is understanding the basics, understanding IT, and then understanding what the security functions are on top of it.
Matt’s approach is to always try to get to ‘yes’, helping customers to do what they want on their networks but do it more securely. He never anticipated that he’d find himself in the middle of the burgeoning cybersecurity insurance industry. And he now recognizes that the future is in aiming to solve broad risks, putting out reliable products that can automate finding and fixing vulnerabilities, and having people who fully understand the IT infrastructure they’re trying to protect.
SUNBURST/Solorigate Situation Briefing
BlueCat leaders discuss how the malware attack via SolarWind’s Orion platform exploited DNS and how BlueCat Edge could have helped to detect it.
January 21, 2021: Learn more about how the SUNBURST/Solorigate malware exploited DNS to execute its attack.
Customer situation brief on SUNBURST/Solorigate
Learn more about the attack via the SolarWinds Orion platform and how BlueCat products use DNS to help protect customers against compromises like it.
On the road to platform hardening, consider a STIG
Security Technical Implementation Guides standardize security configuration on networks, servers, and devices. BlueCat uses them and you can, too.